IETF Logo Mail Archive

Re: [kitten] SCRAM and draft-ietf-kitten-tls-channel-bindings-for-tls13

Simon Josefsson <simon@josefsson.org> Mon, 24 May 2021 16:46 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF9AE3A2ECD for <kitten@ietfa.amsl.com>; Mon, 24 May 2021 09:46:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b=RBVN584e; dkim=pass (2736-bit key) header.d=josefsson.org header.b=XoFkPaW8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q4Trlg0hTZU0 for <kitten@ietfa.amsl.com>; Mon, 24 May 2021 09:46:38 -0700 (PDT)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DED593A2ECB for <kitten@ietf.org>; Mon, 24 May 2021 09:46:37 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2101; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=jpd/ajFi5mhP+9SDk7BHKlZgo6qSyDFls0cN8RtvkKU=; t=1621874797; x=1623084397; b=RBVN584exiQDF32FrZ6MS0DM+HU+vBlIzJYSQKn3X2T4gKmEYlkML9hH6Xy128orzwoMy6mgIc mMls0qBe2qDw==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2101; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=jpd/ajFi5mhP+9SDk7BHKlZgo6qSyDFls0cN8RtvkKU=; t=1621874797; x=1623084397; b=XoFkPaW8FoyZl8SJBleQLAZ497wP7PhYj5ec8kjjudkAPW0WxtLq6/zF7Zb0WeDf9JCu0lAucM DJhtqgWyCvLPouERP+qJGOOt4xlooiVPhovnOg7yJWjnRvul93EEKJX8P11CEWBjfsBBdr/W3c9A6 cQjcF0U1k/XuM5AXgSHaii4hrTkrb6Nav0ovGuRCoTTcsJVqbvcOpkKqnZRcXus629EfCZ+qCD109 s/ENDzGuogsdT2SlF4iRiXwINmJYte/Q50xB5Y8jU7nQHPhJsFcL0G6UuGlWIs3MTbpdRJwiYZwJW BscY33B9+depmuDfc/ZJcMYNUubmPnSgpBWcjPuiGO+N/rcK1xfB6tX2XHrFCD0HEubKfPHpEkZKk 3GTsdZBtlnExH+O6w4JHtEzJNr1mnDYd7m2CnoKwUCbQWDO3YWgo7LGJvn2cyFtQxnAMJp16++ ;
Received: from [2001:9b1:41ac:ff00:60cf:be83:d196:9c4f] (port=35396 helo=latte) by uggla.sjd.se with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <simon@josefsson.org>) id 1llDip-0001Sy-Fm; Mon, 24 May 2021 16:46:31 +0000
From: Simon Josefsson <simon@josefsson.org>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: Sam Whited <sam@samwhited.com>, KITTEN Working Group <kitten@ietf.org>
References: <874kgztvs4.fsf@latte.josefsson.org> <313a79cb-b58e-4098-b79e-2030c4e77c15@www.fastmail.com> <87v99cs9cb.fsf@latte.josefsson.org> <d0100358-5870-5ca0-6b8f-9f3c94edce25@isode.com>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:22:210524:alexey.melnikov@isode.com::tAA87xsGMBV6DXBs:4AFD
X-Hashcash: 1:22:210524:sam@samwhited.com::dOwLmXIUyCJ8mZc0:DSdB
X-Hashcash: 1:22:210524:kitten@ietf.org::mSLLs/9+nc2N7UZi:EouG
X-Hashcash: 1:22:210524:simon=40josefsson.org@dmarc.ietf.org::dJsdsBUh5LGMRIQs:+YUI
Date: Mon, 24 May 2021 18:46:30 +0200
In-Reply-To: <d0100358-5870-5ca0-6b8f-9f3c94edce25@isode.com> (Alexey Melnikov's message of "Mon, 24 May 2021 16:38:03 +0100")
Message-ID: <87sg2c5bbt.fsf@latte.josefsson.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ourpXgFmqG1-6s1Fu7Imvmb_o74>
Subject: Re: [kitten] SCRAM and draft-ietf-kitten-tls-channel-bindings-for-tls13
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 May 2021 16:46:44 -0000

Alexey Melnikov <alexey.melnikov@isode.com> writes:

> Hi Simon/Sam,
>
> Picking up an old thread that you had in March 2021:
>
> On 27/03/2021 19:08, Simon Josefsson wrote:
>> "Sam Whited" <sam@samwhited.com> writes:
>>
>>> I don't really know what "Updates" means in this context, so I just put
>>> an RFC that uses tls-unique. The point wasn't so much that it changes
>>> any normative text, but that this document should be discoverable from
>>> 5802 so that if you read "tls-unique" then go up to the top and see
>>> "Updated by <new TLS 1.3 unique CB RFC>" you have a chance at finding
>>> and implementing this instead.
>> That makes sense, but to me it isn't clear how I would actually
>> implement SCRAM (or GS2) when your draft is approved.  Are you
>> suggesting to replace tls-unique with something else?  There seems to be
>> some guidance missing.  There is backwards compatibility concerns with
>> changing the default channel binding.
>
> After thinking about this with my implementor's hat on, I agree. This
> new requirement can be either in SCRAM update (if we ever do one) or
> this document. Adding it to this document seems quicker (and also the
> right thing) to me. Maybe as a strawman proposal:
>
>   When a client/server implementation supports TLS 1.3 and
> SCRAM-*-PLUS, require support for "tls-exporter". Leave "tls-unique"
> as mandatory-to-implement for older versions of TLS.
>
> What do you think?

I think this is reasonable.  TLS 1.3 does not support tls-unique, so
SCRAM-PLUS under TLS 1.3 is not well specified today.

I believe the document should have a 'Updates: RFC 5929' too.

Another thing that could be lifted from
https://datatracker.ietf.org/doc/html/draft-josefsson-sasl-tls-cb-02
would to add the following to the Security Considerations:

   The derived data MUST NOT be used for any other purpose than channel
   bindings as described in [RFC5056].

/Simon

>
> Best Regards,
>
> Alexey
>
>> /Simon
>>
>>> On Thu, Mar 25, 2021, at 05:41, Simon Josefsson wrote:
>>>> Thanks for draft-ietf-kitten-tls-channel-bindings-for-tls13!  It is
>>>> not clear to me that it would actually modify anything for SCRAM/GS2,
>>>> would it?  Those documents still reference 'tls-uniqe' and things will
>>>> still be broken, as far as I can tell.  Should the new draft update
>>>> the SCRAM/GS2 specs?  I believe the channel binding flexibility in
>>>> SCRAM/GS2 has been one complexity that has prevented adoption, but
>>>> solving that may be too late but we may be able to solve the security
>>>> issues.  I see that there is an 'Updates: 5802' but I can't find any
>>>> text describing what is intendted to be changed.
>>>>
>>>> _______________________________________________
>>>> Kitten mailing list
>>>> Kitten@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/kitten
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten
>

v2.23.0 | Report a Bug | By Email