IETF Logo Mail Archive

Re: [kitten] SASL, how to choose the type of channel binding?

Simon Josefsson <simon@josefsson.org> Tue, 28 April 2020 22:50 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1498B3A07A9 for <kitten@ietfa.amsl.com>; Tue, 28 Apr 2020 15:50:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=josefsson.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s9qNsqtAw3Kz for <kitten@ietfa.amsl.com>; Tue, 28 Apr 2020 15:50:21 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b1:8633::105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF5C33A079E for <kitten@ietf.org>; Tue, 28 Apr 2020 15:50:20 -0700 (PDT)
Received: from latte (31-208-42-58.cust.bredband2.com [31.208.42.58]) (authenticated bits=0) by duva.sjd.se (8.15.2/8.15.2/Debian-8) with ESMTPSA id 03SMo5oV004516 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 28 Apr 2020 22:50:07 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=josefsson.org; s=default; t=1588114207; bh=th9NB2rkZFxY8NhH7VrF0M2w+0asubGUfas0qMu/i4c=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=KdeI/3BIOcBz9b9eDd9VIIFHCXSrmMNoMCbbRRvE3WWifcG7MIrqPDDeCmS1h+gEW DZCodfsSKl0tg9/FWX5s7m/uiEntICMPdp6QteO38S8wBPbl1n78hU2WgfzkJwAIor EXW5AhbawsQdphVHvzxSpBR/EIiGdN0OQiPdvAvy5t1R7yMlntsEPXxCLyoZ4YK3UB Ev4KA1c7FoUt08vzIWgZDrNVPeVMIsFekTqV4A4PuQIT3i3aHNBlAv6YoH/1Seiqx1 7rdVd7gQiwxOAEX4vOlTEIotxea+DMn6Z7pkvq4T9ZmI5A9DK3BcsnIt53XZExWwhb HjppREISTOCIg==
From: Simon Josefsson <simon@josefsson.org>
To: Dave Cridland <dave@cridland.net>
Cc: "kitten@ietf.org" <kitten@ietf.org>
References: <5E8F1ED9.1020108@openfortress.nl> <87zhb4jzhv.fsf@latte.josefsson.org> <CAKHUCzyLpcnBWbe8-kaDgE-6NFWSe_3SkxewaJ6kYFmD-dRiDA@mail.gmail.com>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:22:200428:simon=40josefsson.org@dmarc.ietf.org::kU3CY34YBm+R2JUU:63hK
X-Hashcash: 1:22:200428:dave@cridland.net::HU1lMlOtD1j5DeYX:I80o
X-Hashcash: 1:22:200428:kitten@ietf.org::4xSIpDfhkSODdH8E:HhLF
Date: Wed, 29 Apr 2020 00:50:05 +0200
In-Reply-To: <CAKHUCzyLpcnBWbe8-kaDgE-6NFWSe_3SkxewaJ6kYFmD-dRiDA@mail.gmail.com> (Dave Cridland's message of "Tue, 21 Apr 2020 23:12:48 +0100")
Message-ID: <87h7x3kyxu.fsf@latte.josefsson.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.102.2 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/kUdBrt1CPxg3X4Hg769yLq-S0rQ>
Subject: Re: [kitten] SASL, how to choose the type of channel binding?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 22:50:25 -0000

Dave Cridland <dave@cridland.net> writes:

> On Tue, 21 Apr 2020 at 22:33, Simon Josefsson <simon=
> 40josefsson.org@dmarc.ietf.org> wrote:
>
>> Rick van Rein <rick@openfortress.nl> writes:
>>
>> > Hello,
>> >
>> > I can see that the GS2 negotiates *whether* to use channel binding, but
>> > how can a client and server agree on *which* form to use?
>>
>> Practically it is hard-coded to 'tls-unique' that, alas, has security
>> issues.  See RFC 7627.  GS2 does not provide any facility to (reliably)
>> negotiate which channel binding type to use, that negotiation has to
>> come from the SASL application protocol or out-of-band.  See section 5.2
>> of the document.  I don't recall any SASL application protocols that
>> provide this feature -- does anyone know of any example?
>>
>
> No, but the XMPP community uses channel bindings quite heavily (or at
> least, more so than anywhere else I've noticed).
>
> If you feel like throwing a XEP (or an I-D) toward the XSF on negotiation
> of channel bindings (should be a simple stream feature), you might find
> some interest there.

I have started to think that this complexity of SCRAM/GS2 was a bad
idea.  Providing a half-baked negotiation mechanisms for a security
critical component invites problems.  I would be happier if this feature
was removed, and that the channel binding type negotiation happens
implicitly at SASL mechanism negotiation time.  This is what happens in
practice today when SCRAM/GS2 always means tls-unique.  If nobody knows
examples of, or intend to use, this feature, I think we should
discourage it before someone uses it.

/Simon

v2.23.0 | Report a Bug | By Email