Re: [kitten] SASL, how to choose the type of channel binding?
Dave Cridland <dave@cridland.net> Tue, 21 April 2020 22:13 UTC
Return-Path: <dave@cridland.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29B553A0C35 for <kitten@ietfa.amsl.com>; Tue, 21 Apr 2020 15:13:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mhuy8BvBsETv for <kitten@ietfa.amsl.com>; Tue, 21 Apr 2020 15:13:10 -0700 (PDT)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C1A43A0C40 for <kitten@ietf.org>; Tue, 21 Apr 2020 15:13:01 -0700 (PDT)
Received: by mail-wr1-x432.google.com with SMTP id f13so45617wrm.13 for <kitten@ietf.org>; Tue, 21 Apr 2020 15:13:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wTH/rw7oTTg3BVKKDpcbJF2jnHJYHuxiyXGNrY0subg=; b=Mmx7/fBcuJ0j/33yChYM9fcTh95la1oqVaoaYUGLmNVrtirenE5dwrCRaccVT5l4aQ J3DTJBv6rDWUK4MMuAIsuCaonZdZIkGhM5i018XyEZtkYJ9GWxw5EgaK0IbyvrjVTUe/ Tx7mQClZCngLYYO2JVEMnadbqjqtra+gB+6Vc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wTH/rw7oTTg3BVKKDpcbJF2jnHJYHuxiyXGNrY0subg=; b=DbucIofDNmJB5EPvZGWssdJQf/VxxpoNjEqhnRniwO9z1qtoFyX52FSwsZesmOoPku VZmNXh5W5vrx88slhl5DGkscD82lFMSjt01fOd2qs4X2t4VgKJ7RReT/e2iA9U5vhb8R oNY8XvT5mK0JFS2EJyzRlG8EhBCRtMRMkNVIMk72dVtm5dOtPyiIOM2BEdEOpSdpzxfZ 8JwdzAtjInfQAYx8n1kiZnwZjgdXxXa/XRMVBdIS/nvcvMIRW8juHcuMV0rv7Igqk/0E fhfP1yfyhuh4U4FrSkN2TYaW9vCPQfk17Mfhv0Qr2RWyynMNEx4r6aBiWo3Hq28lrXOx hvCA==
X-Gm-Message-State: AGi0PuafvDgE0jpvnBf9zLwX9hzikVAYCqFGPUmnCPY0LruKtjJTjCMF k8+IXKqDJB9+hM5qAW/paVn/EOLdxrvnMP9AS+awbjdvgXc=
X-Google-Smtp-Source: APiQypIrw//I5sRDPz9x+o4hko2aK9Zi4qDhsnJx6v3qWD0bssmzZj/OJM1hlzj+p53L8qCSx5ha06DE0aNRIeYoxxg=
X-Received: by 2002:a5d:4b04:: with SMTP id v4mr27698643wrq.358.1587507179694; Tue, 21 Apr 2020 15:12:59 -0700 (PDT)
MIME-Version: 1.0
References: <5E8F1ED9.1020108@openfortress.nl> <87zhb4jzhv.fsf@latte.josefsson.org>
In-Reply-To: <87zhb4jzhv.fsf@latte.josefsson.org>
From: Dave Cridland <dave@cridland.net>
Date: Tue, 21 Apr 2020 23:12:48 +0100
Message-ID: <CAKHUCzyLpcnBWbe8-kaDgE-6NFWSe_3SkxewaJ6kYFmD-dRiDA@mail.gmail.com>
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>
Cc: Rick van Rein <rick@openfortress.nl>, "kitten@ietf.org" <kitten@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000086478a05a3d45132"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/yMnXHi2GSNiWPLH5aDRedH7y6WM>
Subject: Re: [kitten] SASL, how to choose the type of channel binding?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2020 22:13:14 -0000
On Tue, 21 Apr 2020 at 22:33, Simon Josefsson <simon= 40josefsson.org@dmarc.ietf.org> wrote: > Rick van Rein <rick@openfortress.nl> writes: > > > Hello, > > > > I can see that the GS2 negotiates *whether* to use channel binding, but > > how can a client and server agree on *which* form to use? > > Practically it is hard-coded to 'tls-unique' that, alas, has security > issues. See RFC 7627. GS2 does not provide any facility to (reliably) > negotiate which channel binding type to use, that negotiation has to > come from the SASL application protocol or out-of-band. See section 5.2 > of the document. I don't recall any SASL application protocols that > provide this feature -- does anyone know of any example? > No, but the XMPP community uses channel bindings quite heavily (or at least, more so than anywhere else I've noticed). If you feel like throwing a XEP (or an I-D) toward the XSF on negotiation of channel bindings (should be a simple stream feature), you might find some interest there. Dave.
- [kitten] SASL, how to choose the type of channel … Rick van Rein
- Re: [kitten] SASL, how to choose the type of chan… Rick van Rein
- Re: [kitten] SASL, how to choose the type of chan… Luke Howard
- Re: [kitten] SASL, how to choose the type of chan… Simon Josefsson
- Re: [kitten] SASL, how to choose the type of chan… Dave Cridland
- Re: [kitten] SASL, how to choose the type of chan… Rick van Rein
- Re: [kitten] SASL, how to choose the type of chan… Simon Josefsson
- Re: [kitten] SASL, how to choose the type of chan… Dave Cridland