Re: [kitten] draft-hansen-scram-sha256 and incorporating session hashing for channel binding

Nico Williams <nico@cryptonector.com> Tue, 26 May 2015 22:32 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ED911B32C2 for <kitten@ietfa.amsl.com>; Tue, 26 May 2015 15:32:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Level:
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ACOGlnKdFxZ for <kitten@ietfa.amsl.com>; Tue, 26 May 2015 15:32:08 -0700 (PDT)
Received: from homiemail-a96.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id B52171B32B2 for <kitten@ietf.org>; Tue, 26 May 2015 15:32:08 -0700 (PDT)
Received: from homiemail-a96.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a96.g.dreamhost.com (Postfix) with ESMTP id 7BF033B8072; Tue, 26 May 2015 15:32:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=5VzTWIUiT6TELb P7cjs89V6lYJ4=; b=wLjiH5WGrvkLFHongsLB/vCIY4Ev3ZYEpN5Leyye/kUVHv BbdoipYPMDRf6CBO1qDSh/P0W8VGqpQNlSgJnjghVJSgJUoRN8XhbeL/32emDzjM 289VA8S3cz1XJPT6SqOsd1xAxTSST11hEAgb9RwIsv+rmZ1jg2n4XLUacUj1s=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a96.g.dreamhost.com (Postfix) with ESMTPA id 104433B8076; Tue, 26 May 2015 15:32:07 -0700 (PDT)
Date: Tue, 26 May 2015 17:32:07 -0500
From: Nico Williams <nico@cryptonector.com>
To: Tony Hansen <tony@att.com>
Message-ID: <20150526223206.GE27628@localhost>
References: <54DC00D0.2050900@cs.tcd.ie> <54EC66FF.50603@cs.tcd.ie> <54ECABD8.3090902@att.com> <87zj82f1yj.fsf@latte.josefsson.org> <54F4B8B8.8090406@isode.com> <555FC6CF.5020306@att.com> <20150523162728.5b6b63cd@latte.josefsson.org> <5564F27D.70109@att.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5564F27D.70109@att.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/ttF-Wf-jiBFtfrBLTV4M89Lhd64>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] draft-hansen-scram-sha256 and incorporating session hashing for channel binding
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 22:32:09 -0000

On Tue, May 26, 2015 at 06:23:57PM -0400, Tony Hansen wrote:
> On 5/23/15 10:27 AM, Simon Josefsson wrote:
> > ...
> > This text has nothing to do with the tls-session-hash issue? 
> 
> Sorry, it has the text I added because of earlier issues brought up
> within this thread. No, it doesn't address tls-session-hash.
> 
> > If you don't want to ship a known insecure protocol, I believe the
> > options are to either include text similar to what I proposed above,
> > or to replace tls-unique with a secure TLS channel binding (e.g.,
> > draft-josefsson-sasl-tls-cb). Shipping a known insecure protocol is
> > another option, but then you should add a security consideration
> > explaining that tls-unique is not secure without tls-session-hash and
> > that consistency with (the also insecure) RFC 5802 was deemed more
> > important security.
> 
> Your suggested text is:
> 
>     "To be secure SCRAM-SHA-256-PLUS has to be used over a TLS channel
> that MUST have [TLS-SESSION-HASH] negotiated."

That is fine, though I'd add "or session resumption MUST NOT have been
used".

> You then go on to say: "Personally, I would prefer to change to another
> mandatory channel binding that is secure for all TLS versions."

This is not really appropriate here because it's the applications that
need to do this, and we can't say anything here about this that will
force them to.  But we can repeat what should be security considerations
elsewhere, especially since there's currently no RFC providing this
particular security consideration.  A reference to TLS-SESSION-HASH of
the same level (i.e., normative or informative) as RFCs 5246 and 5929
would be nice.

Nico
--