IETF Logo Mail Archive

Re: [kitten] comments on draft-ietf-kitten-sasl-saml-ec

Jeffrey Hutzelman <jhutz@cmu.edu> Tue, 11 March 2014 20:54 UTC

Return-Path: <jhutz@cmu.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2ECE1A07DB for <kitten@ietfa.amsl.com>; Tue, 11 Mar 2014 13:54:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n6o-b5H0WAsW for <kitten@ietfa.amsl.com>; Tue, 11 Mar 2014 13:54:27 -0700 (PDT)
Received: from smtp03.srv.cs.cmu.edu (smtp03.srv.cs.cmu.edu [128.2.217.202]) by ietfa.amsl.com (Postfix) with ESMTP id 416E01A072C for <kitten@ietf.org>; Tue, 11 Mar 2014 13:54:27 -0700 (PDT)
Received: from [128.2.193.239] (minbar.fac.cs.cmu.edu [128.2.193.239]) (authenticated bits=0) by smtp03.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id s2BKsJ8Z009823 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 11 Mar 2014 16:54:19 -0400 (EDT)
Message-ID: <1394571259.25748.22.camel@minbar.fac.cs.cmu.edu>
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: "Cantor, Scott" <cantor.2@osu.edu>
Date: Tue, 11 Mar 2014 16:54:19 -0400
In-Reply-To: <CF439102.4B49C%cantor.2@osu.edu>
References: <tsllhwhq46t.fsf@mit.edu> <CF439102.4B49C%cantor.2@osu.edu>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.2.3-0ubuntu6
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
X-Scanned-By: mimedefang-cmuscs on 128.2.217.202
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/cZjBJDnMQCuEwbSm0Ioy56SeX6U
Cc: "kitten@ietf.org" <kitten@ietf.org>, Sam Hartman <hartmans-ietf@mit.edu>, jhutz@cmu.edu
Subject: Re: [kitten] comments on draft-ietf-kitten-sasl-saml-ec
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 20:54:30 -0000

On Mon, 2014-03-10 at 20:27 +0000, Cantor, Scott wrote:

> [snip of TLS text]
> >This text places normative requirements on applications using this
> >mechanism.
> >That's not reasonable because applications may have no knowledge of this
> >mechanism.
> >What happens if these checks are not performed?
> 
> That text came from some iteration of the original wording borrowed from
> the SAML/OpenID mechanisms, and was basically adapted. Isn't that same
> text, or a variant, essentially what Simon is adding to GS2?
> 
> All this is saying is that if the mechanism doesn't signal mutual
> authentication to the initiator, then obviously it's up to the
> application. What else can you do?


That text was used in the SAML and OpenID mechanisms to attempt to
handwave around the need for a mechanism that _claims_ to have done
mutual authentication to actually _do_ mutual authentication.

Basically, what those mechanisms did was say "we're going to assert
mutual_state, but we don't actually do anything to verify the acceptor's
identity, so the application had better have done that even though we
claim to have done it".  They did that because GS2 as written fails on
mechs that don't assert mutual_state.

That's not an acceptable way for a GSS-API mechanism to behave.  It's
essentially trying to reach up through the abstraction boundary and
impose new requirements on the application depending on what mechanism
is used, and the API doesn't allow for that.



It's not necessary for a mechanism to say "if we didn't assert
mutual_state, then we didn't do mutual auth, and if the app cares, then
it had better do something about it".  That is a property of the
abstraction and is true for _every_ mechanism.



For the SAML and OpenID mechanisms, if the application does not perform
the checks in question, then badness ensues, because the application
sees mutual_state and assumes the acceptor has been authenticated, when
it really has not.  If _this_ mechanism only asserts mutual_state when
it has actually authenticated the acceptor (if ever), _and_ it doesn't
depend for its security on the application having already verified the
server's identity (as, for example, SASL PLAIN does), then there is no
problem.




> >Section 5.1 seems applicable to SASL as well.
> 
> Similar question as above; is there normative machinery that can be used
> in SASL to regulate and signal it? I didn't think so.

SASL unfortunately doesn't have a well-defined abstraction.  Not all
SASL mechanisms provide mutual authentication (for example, PLAIN does
not), and the base spec doesn't really talk about it.  Over time, I
think the community mostly accepted that the usual case was to run a
SASL application over TLS, relying on TLS to authenticate the server and
using SASL to authenticate the client.

However, we have introduced the notion of channel bindings.  It's only
safe for an application to rely on CB if mutual authentication has
happened.  This is why GS2 required mutual auth, and why a new version
of GS2 which relaxes this requirement must be careful to specify that
-PLUS mechanisms must not be advertised unless mutual auth is possible,
and must not succeed if mutual auth does not happen.

So no, in the abstract, there's not really any machinery in SASL to
signal whether mutual auth happened, except for the implied indication
when channel bindings are in use.



> >Section 5.3.  I note that this is the first time I'm aware of where
> >RFC 3961 enctypes' names are used in a protocol.  I'd like explicit
> >review of this from the Kerberos community.  Everything we have so far
> >uses numbers.
> 
> Ok, will await decision. I don't care for numbers in a text-based
> protocol, but if the strings aren't formalized, that's appropriate. I
> think I did look at the registry though and came to the conclusion they
> were.

The names of enctypes have never been protocol constants.  There have
frequently been inconsistencies in the spelling and punctuation of these
names.  There has also been confusion at various points as to what
particular names meant.  There is no formal definition of the syntax of
an enctype name, because they are never used in a case where that
matters.  Also, I think it is unwise to expect libraries which implement
RFC3961 to provide interfaces to look up enctypes by name, and
impractical and counterproductive for a mechanism implementation to
maintain a private table.

Please use the numbers; that's the namespace we've actually
standardized.



> >Section 5.4: RFc 4121 has multiple keys it can use: the session key, the
> >subsession key, and the acceptor subsession key.
> >The text in 5.4 is insufficiently detailed for interoperability.
> 
> I'd need feedback on that, I don't have the background (and it was more or
> less copied, again, from some other work).

A typical behavior would be to prefer an acceptor subkey if one was
sent, followed by an initiator subkey if one was sent, followed by the
Kerberos ticket session key.  However, this can get a bit complicated,
because an initiator does not know whether the acceptor sent a subkey
until it processes the acceptor's AP_REP.  That means you either need to
avoid the initiator having to choose until it has seen that message, or
having some way to know which key to use when.  Doing the first is not
bad, but can result in extra round trips depending on what you're doing.


-- Jeff

v2.23.0 | Report a Bug | By Email