Re: [kitten] draft-hansen-scram-sha256 and incorporating session hashing for channel binding

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 23 May 2015 22:57 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13C8D1A88F9 for <kitten@ietfa.amsl.com>; Sat, 23 May 2015 15:57:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JZVBH8pEdjNP for <kitten@ietfa.amsl.com>; Sat, 23 May 2015 15:57:40 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69A9E1A88F6 for <kitten@ietf.org>; Sat, 23 May 2015 15:57:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 8DA8FBED8; Sat, 23 May 2015 23:57:14 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9WevYdjlt03r; Sat, 23 May 2015 23:57:13 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.46.24.221]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 25924BED2; Sat, 23 May 2015 23:57:13 +0100 (IST)
Message-ID: <556105C3.8020303@cs.tcd.ie>
Date: Sat, 23 May 2015 23:57:07 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Simon Josefsson <simon@josefsson.org>, Nico Williams <nico@cryptonector.com>
References: <54DC00D0.2050900@cs.tcd.ie> <54EC66FF.50603@cs.tcd.ie> <54ECABD8.3090902@att.com> <87zj82f1yj.fsf@latte.josefsson.org> <54F4B8B8.8090406@isode.com> <20150523202618.GC2166@localhost> <20150523223946.15ae8c11@latte.josefsson.org> <20150523214351.GD2166@localhost> <20150524004438.5121c26b@latte.josefsson.org>
In-Reply-To: <20150524004438.5121c26b@latte.josefsson.org>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="90eht1KvIuwctDSii4xRlGdnNcqh87DUR"
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/mCCWDzwxBjz0_TmD3KTTUOGD6N8>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] draft-hansen-scram-sha256 and incorporating session hashing for channel binding
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 May 2015 22:57:45 -0000


On 23/05/15 23:44, Simon Josefsson wrote:
> Perhaps this is a question for the TLS WG -- whether they intend
> tls-session-hash to apply as a mandatory fix to all TLS versions or
> not.  The document does not say anything about updates now, which means
> "TLS needs fixing" won't necessarily happen.

So this may be helpful or not depending on how much one
considers IETF minutae important...

During IESG evaluation we agreed to have the session hash
document be an update of 5246. The start of that thread is
at [1] and the resolution is downthread or maybe in some
other thread but was on the TLS list. The update to the
draft hasn't yet happened but will shortly.

The impact is that our formalities then expect any new TLS
code to include session hash. But that of course does not
affect already deployed code so make of that what you will.

Cheers,
S.

[1] https://www.ietf.org/mail-archive/web/tls/current/msg16231.html