Re: [kitten] Review of draft-ietf-kitten-channel-bound-flag-04
Sam Hartman <hartmans@mit.edu> Mon, 18 February 2019 21:39 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 011BB13104B for <kitten@ietfa.amsl.com>; Mon, 18 Feb 2019 13:39:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.253
X-Spam-Level:
X-Spam-Status: No, score=-0.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_DYNAMIC=0.982, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f7e91fp2KF7q for <kitten@ietfa.amsl.com>; Mon, 18 Feb 2019 13:39:15 -0800 (PST)
Received: from mail.suchdamage.org (ec2-52-9-186-167.us-west-1.compute.amazonaws.com [52.9.186.167]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0E28131051 for <kitten@ietf.org>; Mon, 18 Feb 2019 13:39:14 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.suchdamage.org (Postfix) with ESMTP id 3C3422BCF5; Mon, 18 Feb 2019 16:39:14 -0500 (EST)
Received: from mail.suchdamage.org ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jC623K0G6zaa; Mon, 18 Feb 2019 16:39:13 -0500 (EST)
Received: from carter-zimmerman.suchdamage.org (c-24-91-242-186.hsd1.ma.comcast.net [24.91.242.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) (Authenticated sender: hartmans-laptop) by mail.suchdamage.org (Postfix) with ESMTPSA; Mon, 18 Feb 2019 16:39:13 -0500 (EST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 4A9CFC0944; Mon, 18 Feb 2019 16:39:12 -0500 (EST)
From: Sam Hartman <hartmans@mit.edu>
To: Sam Hartman <hartmans-ietf@mit.edu>
Cc: kitten@ietf.org
References: <tslbm38vl8h.fsf@suchdamage.org>
Date: Mon, 18 Feb 2019 16:39:12 -0500
In-Reply-To: <tslbm38vl8h.fsf@suchdamage.org> (Sam Hartman's message of "Mon, 18 Feb 2019 16:29:34 -0500")
Message-ID: <tslva1gu67z.fsf@suchdamage.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/UOMiUSi_NCCUYjQiNLCq3mYvRWY>
Subject: Re: [kitten] Review of draft-ietf-kitten-channel-bound-flag-04
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Feb 2019 21:39:17 -0000
>>>>> "Sam" == Sam Hartman <hartmans-ietf@mit.edu> writes: nnel >> bindings to GSS_Accept_sec_context(), and b) not indicated >> support for the ret_channel_bound_flag flag, then the mechanism >> MUST fail to establish a security context if the initiator did >> not provide channel bindings data. This requirement is critical >> for security purposes, to make applications predating this >> document secure, and this requirement reflects actual >> implementations as deployed. Sam> Actually, this behavior is inconsistent with RFC 7055 section Sam> 5.6.2 and with the Moonshot implementation of the ABFAB GSS-API Sam> mechanism. In that mechanism, if the initiator provides null Sam> channel bindings, the acceptor channel bindings are always Sam> ignored. I'm not seeing the security issue here. If you are Sam> using channel bindings as a MITM defense rather than as an Sam> additional layer of security, you need to do something like Sam> SASL does and have a plus and minus varient of your protocol Sam> and always pass in channel bindings. Sam> There's also what I think is a real operational issue here. Sam> You may not be able to know what your channel bindings are on Sam> an acceptor. Depending on whether you are behind a TLS Sam> accelerator, reverse proxy or the like, it may affect your Sam> ability to know your channel bindings. I meant to go back and revise my review before sending. I think it's something worth fixing that Kerberos and ABFAB have inconsistent behavior here, and I do think it's worth standardizing. I think we're in a good position. If we were to decide to relax the behavior we'd be changing Kerberos in a manner where all authentications that succeed today would continue to succeed. Kerberos is much much much more widely deployed than ABFAB. If we were to decide to make the behavior as strict as described in this draft, then we'd be potentially breaking valid uses of ABFAB, but I think the ABFAB deployment is small enough that it is reasonable to do that. However, I think that the decision as to what to do should be based on analysis of applications where one side uses channel bindings and the other does not. Since I'm not actually aware of any significant applications that do that, I'll hold off until my previous question on that issue is answered before forming my opinion on the correct behavior.
- Re: [kitten] Review of draft-ietf-kitten-channel-… Sam Hartman
- [kitten] Review of draft-ietf-kitten-channel-boun… Sam Hartman
- Re: [kitten] Review of draft-ietf-kitten-channel-… Luke Howard
- Re: [kitten] Review of draft-ietf-kitten-channel-… Greg Hudson
- Re: [kitten] Review of draft-ietf-kitten-channel-… Sam Hartman
- Re: [kitten] Review of draft-ietf-kitten-channel-… Martin Rex
- Re: [kitten] Review of draft-ietf-kitten-channel-… Greg Hudson
- Re: [kitten] Review of draft-ietf-kitten-channel-… Nico Williams
- Re: [kitten] Review of draft-ietf-kitten-channel-… Nico Williams
- Re: [kitten] Review of draft-ietf-kitten-channel-… Greg Hudson
- Re: [kitten] Review of draft-ietf-kitten-channel-… Sam Hartman