IETF Logo Mail Archive

Re: [kitten] Review of draft-ietf-kitten-channel-bound-flag-04

Nico Williams <nico@cryptonector.com> Mon, 11 March 2019 20:05 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3CA6124B16 for <kitten@ietfa.amsl.com>; Mon, 11 Mar 2019 13:05:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJQ-PcmjX4rq for <kitten@ietfa.amsl.com>; Mon, 11 Mar 2019 13:05:17 -0700 (PDT)
Received: from palegreen.birch.relay.mailchannels.net (palegreen.birch.relay.mailchannels.net [23.83.209.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E9C91200D8 for <kitten@ietf.org>; Mon, 11 Mar 2019 13:05:16 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 1E333125427; Mon, 11 Mar 2019 20:05:16 +0000 (UTC)
Received: from pdx1-sub0-mail-a29.g.dreamhost.com (unknown [100.96.35.41]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id B4F7B124FBA; Mon, 11 Mar 2019 20:05:15 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a29.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.16.3); Mon, 11 Mar 2019 20:05:16 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Snatch-Coil: 7d665ebd69ce33ee_1552334715924_1124776506
X-MC-Loop-Signature: 1552334715923:3972237606
X-MC-Ingress-Time: 1552334715919
Received: from pdx1-sub0-mail-a29.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a29.g.dreamhost.com (Postfix) with ESMTP id 546317F1C9; Mon, 11 Mar 2019 13:05:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=gVFgmwTdFyDu9f EI1YgpEXhw/No=; b=eOiFxJyIUknsK6NZIG64oDM/3TSCSNSPIsu35T8lDSgwuz X2mjmTJWRYa8rxoYRdH6knAVa2hiI3unugNbrk+gbbWdeap0INBEicbnouXFMZxJ GiI9wXhLZ+sbCdXg3Dt4gNs8QR0X7U3NcyrBPaAJqKIBQQ3akhr9G8wdefFz8=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a29.g.dreamhost.com (Postfix) with ESMTPSA id 6DB1B7F1C1; Mon, 11 Mar 2019 13:05:14 -0700 (PDT)
Date: Mon, 11 Mar 2019 15:05:12 -0500
X-DH-BACKEND: pdx1-sub0-mail-a29
From: Nico Williams <nico@cryptonector.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
Cc: kitten@ietf.org
Message-ID: <20190311200510.GE4211@localhost>
References: <tslbm38vl8h.fsf@suchdamage.org> <20190311185706.GD4211@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20190311185706.GD4211@localhost>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedutddrgeeigddufeeiucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucfkphepvdegrddvkedruddtkedrudekfeenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedvgedrvdekrddutdekrddukeefpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhenucevlhhushhtvghrufhiiigvpedt
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/s3L3ePLUsWMIQ2eutKYquKPDrGE>
Subject: Re: [kitten] Review of draft-ietf-kitten-channel-bound-flag-04
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 20:05:19 -0000

How about a much simpler proposal:

   If the application provided channel bindings, and channel binding
   succeeded, then the mechanism MUST include GSS_C_CHANNEL_BOUND_FLAG
   in the ret_flags.

   If the application did not provide channel bindings, but the peer
   did, then the mechanism may or may not fail security context
   establishment, but if it succeeds, it MUST NOT indicate the
   GSS_C_CHANNEL_BOUND_FLAG ret_flag to either peer.

   If both peer applications provided channel bindings and channel
   binding failed, then a mechanism MAY fail to establish a security
   context, but if it permits the context to establish, then it MUST NOT
   set GSS_C_CHANNEL_BOUND_FLAG in the ret_flags.

That would be the entirety of the normative text.

The "MAY" in the third paragraph involves an optional  backwards-
incompatible change, allowing implementations to choose whether to make
it, possibly based on local configuration, or on usage of the non-
standard gss_set_cred_option().

Nico
--

v2.23.0 | Report a Bug | By Email