Re: review of draft-wierenga-ietf-sasl-saml-00

Martin Rex <> Thu, 27 May 2010 18:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9BCE03A6B89 for <>; Thu, 27 May 2010 11:00:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.574
X-Spam-Status: No, score=-7.574 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_50=0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id g2NB0kmsQ-c6 for <>; Thu, 27 May 2010 11:00:53 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 87BF53A697B for <>; Thu, 27 May 2010 11:00:53 -0700 (PDT)
Received: from by (26) with ESMTP id o4RI0Bcm022005 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 27 May 2010 20:00:11 +0200 (MEST)
From: Martin Rex <>
Message-Id: <>
Subject: Re: review of draft-wierenga-ietf-sasl-saml-00
Date: Thu, 27 May 2010 20:00:09 +0200
In-Reply-To: <> from "Klaas Wierenga" at May 27, 10 05:19:16 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 27 May 2010 18:00:54 -0000

Klaas Wierenga wrote:
> On 5/26/10 8:28 PM, Sam Hartman wrote:
> > 
> > 1) The IDP MUST verify that channel binding data is asserted by the
> > expected RP and has been modified by no other party
> >
> > 2) The client MUST verify that the channel binding data corresponds to
> > the channel that is in use.
> >
> > Those two are enough that the user will learn through the web browser if
> > the connection is under attack.  However, the that's not enough to
> > defend against a server that fakes successful authentication or to learn
> > at the SASL protocol level about a channel binding failure.
> Just to understand, what does channel binding buy you if you still can 
> not prevent the MiTM?

That is a misunderstanding.  (Cryptographic) channel bindings reliably
protects you from MitM attacks.  But it can not protect you from
an attacker that can successfully impersonate a "trusted" server,
and neither from an inappropriately trusted "rogue" server.

Successfully impersonating a "trusted" server does not necessarily
require a full compromise of that server.  Being able to pass those
few superficial checks that the client performs in order to verify
the authentication of a server is perfectly sufficient -- and is
usually much easier than breaking into the real server in order to get
hold of its credentials.  Think of PKI, X.509 certs, server endpoint
identification similar to HTTP over TLS (rfc2818) and the problem
of lots of software dealing with embedded NUL chars in names,
or the problem of huge amounts of interchangeably-trusted root CAs.