Re: [kitten] Review of draft-ietf-kitten-channel-bound-flag-01
Benjamin Kaduk <kaduk@mit.edu> Sun, 25 June 2017 17:00 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7A671273B1 for <kitten@ietfa.amsl.com>; Sun, 25 Jun 2017 10:00:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.222
X-Spam-Level:
X-Spam-Status: No, score=-4.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hHuu287fLPl4 for <kitten@ietfa.amsl.com>; Sun, 25 Jun 2017 10:00:10 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B323B1201F2 for <kitten@ietf.org>; Sun, 25 Jun 2017 10:00:10 -0700 (PDT)
X-AuditID: 1209190e-3a3ff7000000676b-45-594fec19279f
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 4C.B6.26475.91CEF495; Sun, 25 Jun 2017 13:00:09 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v5PH079n003508; Sun, 25 Jun 2017 13:00:08 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v5PH03lr021977 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 25 Jun 2017 13:00:06 -0400
Date: Sun, 25 Jun 2017 12:00:04 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Greg Hudson <ghudson@mit.edu>, nico@cryptonector.com
Cc: kitten@ietf.org
Message-ID: <20170625170003.GB17840@kduck.kaduk.org>
References: <x7dk24130xu.fsf@equal-rites.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <x7dk24130xu.fsf@equal-rites.mit.edu>
User-Agent: Mutt/1.7.1 (2016-10-04)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrCIsWRmVeSWpSXmKPExsUixCmqrSv5xj/S4OgrLYujm1exWJy6doTN gcnj5alzjB5LlvxkCmCK4rJJSc3JLEst0rdL4Mo4dHciS8FDo4rND2YyNzC+Ue9i5OSQEDCR WNjYwtzFyMUhJLCYSeLqqYNQzkZGiV0zz0E5V5kkOjbMYuti5OBgEVCVaJlZCtLNJqAi0dB9 mRkkLCJgIfF4giFImFlAWGL5mrNg1cIC7hLz+hJBwrxAu+7/3s0MYgsJGEq8vXeNCSIuKHFy 5hMWiFYtiRv/XjKBtDILSEss/8cBEuYUMJL4dK2XFcQWFVCW+Hv4HssERoFZSLpnIemehdC9 gJF5FaNsSm6Vbm5iZk5xarJucXJiXl5qka6xXm5miV5qSukmRnCASvLtYJzU4H2IUYCDUYmH N2CtX6QQa2JZcWXuIUZJDiYlUd5Gf/9IIb6k/JTKjMTijPii0pzU4kOMEhzMSiK87c+Bcrwp iZVVqUX5MClpDhYlcV5xjcYIIYH0xJLU7NTUgtQimKwMB4eSBO+W10CNgkWp6akVaZk5JQhp Jg5OkOE8QMMzHoIMLy5IzC3OTIfIn2LU5WiYvvULkxBLXn5eqpQ4736QQQIgRRmleXBzQIlF Int/zStGcaC3hHn/vQSq4gEmJbhJr4CWMAEtmbHGB2RJSSJCSqqBMfFqoFdc5bHJX9+9aONr aP3/M+L72sDTPlfuONx9G6V/0Ff2wwq3XVo8/QKLH1V/u7Ve/JtWZ5fPQn3eV7bLma78yfqk 07pY7JPwftMFkflX2Vw/xL3s3nhz0ovyCo/0VT7Pt51OPZhelM0UcoOZkefv5SOKxhPjtesf ybp4pR0LSS9aEXlWQomlOCPRUIu5qDgRAP2sRYQHAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/nwVcFSfK3hjuEyqI3rM8LKiK5y8>
Subject: Re: [kitten] Review of draft-ietf-kitten-channel-bound-flag-01
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jun 2017 17:00:13 -0000
Thanks for the review, Greg. Nico, will you be able to prepare a document update? (one note inline) On Sat, Jun 24, 2017 at 10:38:53AM -0400, Greg Hudson wrote: > Here are my semantic concerns: > > Section 1: > > * Paragraph 2 discusses taking advantage of implementation behavior to > deploy channel bindings on initiators first, then acceptors. A > naive reader might conclude that this is sufficient, because an > acceptor can be configured to not provide channel bindings if it > does not wish to require all initiators to provide them as well. It > would be helpful to explain that the value obtained by providing > channel bindings on the acceptor without enforcing them, which is > that participating initiators gain protection against MITM attacks. > > * Paragraph 4 should either be omitted or made more specific. It's > interesting to me that SSPI implements these semantics (all of them > or just the existence of a channel-bound ret flag?), but that should > be stated directly or just skipped. > > Section 1.1: > > * "[RFC2743] seems to indicate that mechanisms must ignore channel > bindings when one party provided none." What part of RFC 2743? How > does this statement square with "This facility is meant to be > all-or-nothing" in the introduction? > > * The remainder of this paragraph seems redundant with the top material > in section 1. > > Sections 1.2-1.4: these sections are kind of informal and may not all > be of interest to implementors. I think it's worth saying that > gss_create_sec_context() is expected to lead to simpler stepper > functions in the future, but the rest can probably go. > > Section 2.2: > > * The term "understood" is a little unclear, and aside from the new > channel-bound flag, it's unclear how a mechanism should process the > absence of an understood flag. Out of band, Nico has said that he > doesn't expect the mechanism to pare down its set of ret_flags based > on ret_flags_understood (e.g. it should not omit the mutual-auth > flag if the application doesn't include it in ret_flags_understood). > So the mechanism should only consult ret_flags_understood when it > really needs to know, such as with the new channel-bound flag. The > draft should make that clear. > > * The new gss_set_context_flags() call allows us to specify req_flags > to gss_accept_sec_context(), which is an intentional addition. > However, we have no immediate use for it, and the draft doesn't make > it clear whether an existing mechanism should do anything with > existing req_flags on the acceptor. > > Section 2.2.1: > > * Naming the parameter "ret_flags" rather than "ret_flags_understood" > in the C bindings appears to create some confusion as to what should > be done with the flags. > > Section 2.4 and 2.5: > > * For background, the overall purpose of this draft is to make channel > bindings fit the GSS-API model where the caller asks for things and > then checks whether it actually got them. On the initiator it is > awkward to achieve this goal, since the krb5 mech does not have > channel binding confirmation and other existing mechanisms may not > have it either. Thus the draft specifies new mechanism attributes > to express whether a mechanism has channel binding confirmation, and > a request flag to filter SPNEGO mechanisms according to whether they > can confirm channel bindings. Nico has a plan to extend the krb5 > mech's mutual-auth response to confirm channel bindings, likely > using GSS_C_CB_CONFIRM_FLAG (2048) in the 8003 checksum flags value > as a negotiation bit. > > * GSS_C_MA_CBINDING_MAY_CONFIRM does not really express where the krb5 > mech will wind up after the mutual auth response is extended, as > channel bindings will only be confirmed if the initiator requests > mutual auth, and possibly only if the mechanism choose an RFC 4121 > enctype. > > * The specification of req_cb_confirmation_flag is wishy-washy as to > whether it allows SPNEGO to choose a mechanism that might only > possibly be able to confirm channel bindings. I'm not sure that > this request flag will ever wind up being useful to callers. > > * "the pseudo-mechanism MUST NOT negotiate any mechanisms that lack > the GSS_C_MA_CBINDING_CONFIRM or GSS_C_MA_CBINDING_MAY_CONFIRM > mechanism attributes" reads to me as "mechanisms must have both > attributes to qualify", but from context I think it is supposed to > mean "mechanisms must have one of the two attributes to qualify". I agree that's the apparent intent. -Ben > Section 2.6: > > * Here we specify the behavior of gss_delete_sec_context on an empty > context. We should also specify the behavior an the application > tries to use an empty context with gss_inquire_sec_context(), > gss_wrap(), etc.. Per discussion with Nico, doing so should result > in GSS_S_NO_CONTEXT, just as if the application supplied > GSS_C_NO_CONTEXT to those functions. > > Section 3: > > * The third requirement says that init_sec_context SHOULD be lax about > the acceptor not providing channel bindings, but notes that "It is > possible that not all security mechanism protocols can implement > this requirement easily." In contrast, the fourth requirement says > that init_sec_context MUST be lax if the caller understands > ret_channel_bound_flag. The fourth requirement doesn't seem to > square with the proviso on the third. If a mechanism can conform to > the fourth requirement, then it seems like it can also conform to > the third requirement. > > And here are a few copy-editing notes: > > Abstract: > > * "This document addresses both, the..." should not have the comma. > > Section 2.2: > > * undestands -> understands > > * "individual elements -one-per-flag- instead" -> > "individual elements--one per flag--instead" > > Section 3: > > * There are multiple instances of "Whenever [something] shall have > [done something]", which doesn't look right to me. Omitting the > word "shall", and sometimes changing "have" to "has", makes them > look better. > > * "Whenever both, the initiator..." should not have the comma. > > * "This is a restatement... restated for the reader's convenience" > should either omit "a restatement of" or the final clause.
- [kitten] Review of draft-ietf-kitten-channel-boun… Greg Hudson
- Re: [kitten] Review of draft-ietf-kitten-channel-… Benjamin Kaduk