Re: [kitten] TLS export for channel binding

Sam Whited <> Mon, 04 May 2020 18:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C9C3C3A114A for <>; Mon, 4 May 2020 11:14:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=DBhNC9eo; dkim=pass (2048-bit key) header.b=RPiaNkC6
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fR3yynTXju-3 for <>; Mon, 4 May 2020 11:14:58 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 55D7C3A1132 for <>; Mon, 4 May 2020 11:14:32 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal []) by mailout.west.internal (Postfix) with ESMTP id 0A6C4317 for <>; Mon, 4 May 2020 14:14:30 -0400 (EDT)
Received: from imap34 ([]) by compute7.internal (MEProxy); Mon, 04 May 2020 14:14:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=fXRNB eQk2IxmuY8popiKOs202ObQume7iEY9lw4Z1ao=; b=DBhNC9eo1W6m6fGS5NKqP ryRQCXIMIAE/lEJZRnBMnxcjt49fp+IcWSTPY8JN+6tYEMh+MBZ578gPIVwJV8Aj DkUWLJwmhlDbGNMK73hB72cCny6ZkAP8XPLIv3Lqrq9Z14mJzQSa44GHyr+a53re p1Ps9D6OR9bIdk4qvbLhYBOhGQ8jgQlVyqHD90M352XOhlz2gI47lW/StrGFoNod AntIhb8mupabFBX85Tpd2NuUmieeWS6+/al6KwKeY2gedROaWzzyp2ZdtK1CDXEC axtis9Zi/RWnPHEs2/Bw5iiYU2KIndA8j0SyHmHQ08TkPRBHoKJtcz9qefFKxnCl g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=fXRNBeQk2IxmuY8popiKOs202ObQume7iEY9lw4Z1 ao=; b=RPiaNkC69Y1z9sIfeLST7Qq9A/oU7m+4BVC8VAYAkfs3bpp2bMn+MMM99 hMW7V6edV5gOgCzv0VBRYFCFunWmG5+EvTfJxd8CA16LYsKQp/CG04kwDn5X1ArN pUVbyttHPUwBjjiPDZ3XxJwj4eQ/nkJFgf8b51+m0wDkBRGMqiEUuWebFjbuPRBk qQRI/Hr4S6BTMC6gh2BjzY01Zn4cb8k6ZzoxJo9C07bAFR9M02DrhV+06/depCIp Qda/D+HXXcP27YKyubTNceQ6bLt8jCYa6ZFGfQGCcVxZL1yVTsTDUIrp7xiqFo9s 1xPE6Hd0TYkPfG1Xo5ckfP3Wk8+7g==
X-ME-Sender: <xms:hluwXoDM_wGxiK4lItIKsraBGeUWjShQbhDL0i7P3dqdSNMJArgW4A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrjeeggdduudegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfufgr mhcuhghhihhtvggufdcuoehsrghmsehsrghmfihhihhtvggurdgtohhmqeenucggtffrrg htthgvrhhnpeefuddukeekueetueelfeeguedvuedvffehvdevieffgeehhfejffdtveev uedvffenucffohhmrghinhepihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomhepshgrmhesshgrmhifhhhithgvugdrtghomh
X-ME-Proxy: <xmx:hluwXozKjDv5X6luT5ijCzly8o-9-GckHT1Za7NDN003E4cntry4MA> <xmx:hluwXouGi924F0CkD1OFrJtw-9dW6rKZt9FRDscrCTIjXMl--RFOnw> <xmx:hluwXhl2S0yHotlR2j-Ks4dVWZrX2SqgzclFMq2TUJZwalsCBz0Cbw> <xmx:hluwXj2Fs7WDeU4NdCyBFaaQ5AaQz-hMTwfxah8YRvtyiXK-dVpQMA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 36BAA1460061; Mon, 4 May 2020 14:14:30 -0400 (EDT)
X-Mailer: Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-351-g9981f4f-fmstable-20200421v1
Mime-Version: 1.0
Message-Id: <>
In-Reply-To: <>
References: <>
Date: Mon, 04 May 2020 14:14:09 -0400
From: "Sam Whited" <>
To: "KITTEN Working Group" <>
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [kitten] TLS export for channel binding
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 May 2020 18:15:00 -0000

Hi again all,

I submitted this idea as a draft to the TLS working group. However, the
draft ended up becoming SCRAM/TLS 1.3 specific and the TLS WG suggested
that it might be a better fit for KITTEN, either as an update to RFC
5802, or as a new I-D.

Would this WG be interested in either the draft document or starting an
update to RFC 5802 if the TLS WG decides that the draft is outside of
their wheelhouse?


On Thu, Apr 30, 2020, at 16:02, Sam Whited wrote:
> Hi all,
> I'm in need of a channel binding mechanism that works for TLS 1.3, but
> as far as I can tell there isn't one. I was thinking about defining a
> mechanism using RFC 5705 (which is updated by RFC 8446 so it should
> work on both TLS 1.2 with appropriate cipher suites and 1.3 in
> general).
> Is anyone aware of work already being done in this area, and if I were
> to define a mechanism would it be a better fit for this working group
> or for the tls WG?
> I know that exporters have some caveats around how to ensure
> uniqueness across different sessions, so this would likely require a
> great deal of expert review if it's a feasible mechanism at all and I
> wasn't sure where the best place to get that review would be.
> —Sam
> Thanks, Sam
> _______________________________________________
> Kitten mailing list

Sam Whited