Re: [kitten] Review of draft-ietf-kitten-channel-bound-flag
Dave Cridland <dave@cridland.net> Fri, 15 February 2019 21:47 UTC
Return-Path: <dave@cridland.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94DA71310F6 for <kitten@ietfa.amsl.com>; Fri, 15 Feb 2019 13:47:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NHXuFcIY3aLA for <kitten@ietfa.amsl.com>; Fri, 15 Feb 2019 13:47:25 -0800 (PST)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFD581310E6 for <kitten@ietf.org>; Fri, 15 Feb 2019 13:47:24 -0800 (PST)
Received: by mail-lf1-x12b.google.com with SMTP id u21so8281791lfu.1 for <kitten@ietf.org>; Fri, 15 Feb 2019 13:47:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5W+s9LSXQD4VxkHvLErWtUXjAKVg5O9IGG95QkShyxw=; b=OwDbhUua1EskyQITuhIo7W9+aE92SCEoLuzENuUT4DWfVQkoYOIvAKst6h4SC90QEA E2h/JOxmNSNGKn7MbSrFJk+2EZ1iKLRMptoceT5x51wKV0dpAiY7WC9HcoblbJNY8q+0 FTesNpgsHKCAOL/FLjHWiruef6Q3IicG2fyHk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5W+s9LSXQD4VxkHvLErWtUXjAKVg5O9IGG95QkShyxw=; b=SzSvwij4M9tjQ/AHzVk8tVKsIpF9HTiEhmR9/hOYQ2Xsf0NBNdjhzVmQK1SP9hKdUp JZITpmzzARiiVVEmMr8ZHQYFDJr7ej2GVIy8LTDP7BexY1PUgGyukvmOulhz6vbKSYga EWgLM57jpcQU4UROsZN4hc9UkgR1k+y8E/pTZb3fJucakOkgoJR850VERfvwxPC2lkhC MNqFXHhfMN0TLKAmkOiCUHeJNbFFud4IvPUIf01/iFioO1bxOGXTZOmESETHAooHfK6R bISUDbBaO717BTNCtmu+2cn/kgUrZcqdEVzryYdyeOGWz0HjSNf/P/4k7qlfsiPTVIPp tgKg==
X-Gm-Message-State: AHQUAuYupTaWYTw5h26f/B9hhRAXcHBrQ8He5Q+IeQ7uclkp+vmU5DOi yNY/p4eErehaN+5zxgWasVQbZDwyFMMNX8f82EZJFQ==
X-Google-Smtp-Source: AHgI3IbcE81fruQoG8FYnNk1YPjA2D+LAOjbufztZo5Ukgf7BL0LkR/Qvfgsuou9XLsgD8bmn2hYudkCJGlWDza7sHM=
X-Received: by 2002:ac2:54a5:: with SMTP id w5mr7189244lfk.147.1550267242788; Fri, 15 Feb 2019 13:47:22 -0800 (PST)
MIME-Version: 1.0
References: <CAKHUCzyjxJW3NHXb_2o2FQ_Efe5p1kY4wBMCvqmZmFWgE-hJaQ@mail.gmail.com> <jlg36oosuwu.fsf@redhat.com>
In-Reply-To: <jlg36oosuwu.fsf@redhat.com>
From: Dave Cridland <dave@cridland.net>
Date: Fri, 15 Feb 2019 21:47:12 +0000
Message-ID: <CAKHUCzw+VRTHWaA+saSYA05HcF0J_fh67FFDXsXQ7wpHMhoB8Q@mail.gmail.com>
To: Robbie Harwood <rharwood@redhat.com>
Cc: kitten@ietf.org, Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary="000000000000506adc0581f5b810"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/eQX3JOmflCMYYa2SbAN964bHe9Y>
Subject: Re: [kitten] Review of draft-ietf-kitten-channel-bound-flag
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Feb 2019 21:47:29 -0000
On Fri, 15 Feb 2019 at 19:39, Robbie Harwood <rharwood@redhat.com> wrote: > Dave Cridland <dave@cridland.net> writes: > > > Hi all, > > > > Robbie asked me to look over the aforementioned draft, and so I did, > > and sent him the notes below. You'll be able to readily tell that I > > don't know GSS-API from a bar of soap, but I hope they're useful > > nonetheless. > > Thanks Dave! > > > a) General comment - I'm a native English speaker, and I find parsing > > the double-negative "not when the initiator provides none" incredibly > > hard. Is this necessary phrasing, or could this be changed to be a bit > > more readable? > > > > For example, at the beginning of page 2: > > > > However, GSS-APIv2u1 [RFC2743 > > <https://tools.ietf.org/html/rfc2743>] does not specify channel > > binding > > behavior when only one party provides provides none.In practice, > > some mechanisms (such as Kerberos [RFC4121 > > <https://tools.ietf.org/html/rfc4121>]) ignore channel bindings > > when the acceptor provides none, but not when the initiator provides > > none. Note that it would be useless to allow security context > > establishment to succeed when the initiator does not provide channel > > bindings but the acceptor does, at least as long as there's no > > outward indication of whether channel binding was used! Since the > > GSS-APIv2u1 does not provide any such indication, this document > > corrects that flaw. > > > > > > So, I understand from this: > > * There is undefined behaviour when only one party supports channel > > binding. I think. Note typo in the first sentence. > > Yes. Suggested first sentence language: > > However, GSS-APIv2u1 [RFC2743] does not specify channel binding > behavior when only one party provides them. > > That works. > > * In practice, if an acceptor does not provide a channel binding, some > > mechanisms ignore channel bindings entirely, such as Kerberos. > > Yes. In general it seems like the phrase "provides none" is confusing - > is that right? How do you feel about replacing it with language more > like "when only provided by one party"? > > I think "provides none" is confusing - it's not a natural English formation. "when only provided by one party" etc seem more understandable to me. > > * Conversely, if the initiator does not provide channel bindings, but > > the acceptor does, channel bindings are typically not ignored. I have > > no idea what this means in practice - does authentication fail? I get > > that impression from the later paragraphs. > > Yes - per section 3, the acceptor fails to establish a security context. > > Right. That could use some clarification. > > * I don't understand the note. I think it says: This latter behaviour > > is sensible, since to allow security context establishment to succeed > > in this case would be problematic absent any indication of whether > > channel binding was used. Maybe? But I note that's also what this > > document recommends later in §3, so I suspect I'm wrong. > > Nico, do you have comments here? > > > * There is no such indication in GSS-APIv2u1. > > Yes - specifying the behavior here is (in my view) more important than > which way we specify it. > > > b) Empty Contexts > > > > It's a mystery to me why this is in this document. The rationale isn't > > explained at all. It might be that this is obvious to anyone > > indoctrinated into the dark art of GSS-API, which I'm certainly > > not. But it's first mentioned in §1.1 as if it were a necessary > > extension for addressing the problems described in §1. Is > > GSS_Set_context_flags() always to be called with an empty context? > > Good point. It's valid to call with a non-empty context as I understand > (maybe Nico can speak more on this?), but the important attribute is > ret_flags_understood, which there isn't currently a way to convey. And > then just doing it this particular way is based on how the Java bindings > work (1.1). > > How about this for text in 1.1: > > The design for signalling application flag support and empty > contexts is based on the Java Bindings of the GSS-API [RFC5653]. We > introduce a new function GSS_Set_context_flags() for applications to > instruct the GSSAPI implementation what flags they understand. > However, since the understood flags information needs to be present > before GSS_Init/Accept_sec_context() are called, we also introduce a > notion of empty contexts, and begin introduction of additional > context inquiry and mutation functions, which eventually will also > allow for simplified stepping to replace the > GSS_Init/Accept_sec_context() loop. > > Yes, that makes sense. > > c) Typographical errors > > > > * §1, Page 2, "provides provides" (as noted before). > > * §3, Page 7, "This strong sugestion" > > Agreed, will fix. > > > Further notes: > > > > I'm still confused about the outcome where the Initiator supports > > channel bindings but does not support the flag, and the Acceptor does > > not support channel bindings. In SCRAM, this case is special, and the > > Initiator ends up passing a channel binding essentially saying it > > could have done it if you'd asked. This allows an Acceptor to > > determine if a downgrade attack were in effect or not. I have no clue > > if this is common in GSS-API. > > Interesting. This doesn't sound like the kind of idiom we have > elsewhere in GSSAPI (not that that's necessarily a bad thing) > > Interesting - the channel bindings are transferred in SCRAM within the GS2 prefix (or header). I was expecting this case to be common. Alexey Melnikov or others might remember more detail about how that behaviour came about. > > In any case, if an Initiator is unable to know if the channel bindings > > were used or not, I agree with the initial assessment that this is > > problematic. On that basis, I'm uncomfortable with the suggestion > > that an Acceptor SHOULD ignore the channel bindings and continue > > anyway - but there are clear trade offs between interoperability and > > security here. > > > > I would therefore suggest this recommendation is downgraded to OPTIONAL > > (ie, a MAY), and the pros and cons spelt out clearly. > > We're talking about the third bullet in section 3, right? > > Yes, that's the one. > Whenever the initiator application has a) provided channel bindings > to GSS_Init_sec_context(), and b) not indicated support for the > ret_channel_bound_flag flag, then the mechanism SHOULD NOT fail to > establish a security context just because the acceptor failed to > provide channel bindings data. This strong sugestion is for > interoperability purposes, and reflects actual implementations that > have been deployed. > > The difference between SHOULD NOT / MAY NOT isn't particularly important > to me; Nico, do you have feelings in this regard? Dave.
- [kitten] Review of draft-ietf-kitten-channel-boun… Dave Cridland
- Re: [kitten] Review of draft-ietf-kitten-channel-… Robbie Harwood
- Re: [kitten] Review of draft-ietf-kitten-channel-… Dave Cridland