[kitten] Review of draft-ietf-kitten-channel-bound-flag-01
Greg Hudson <ghudson@mit.edu> Sat, 24 June 2017 14:38 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25BC9126CC7 for <kitten@ietfa.amsl.com>; Sat, 24 Jun 2017 07:38:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YwmFQzmhDw3m for <kitten@ietfa.amsl.com>; Sat, 24 Jun 2017 07:38:57 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62966124D68 for <kitten@ietf.org>; Sat, 24 Jun 2017 07:38:57 -0700 (PDT)
X-AuditID: 1209190c-0ddff70000001227-e4-594e797e045a
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 0E.FF.04647.E797E495; Sat, 24 Jun 2017 10:38:55 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v5OEcsWk000396 for <kitten@ietf.org>; Sat, 24 Jun 2017 10:38:54 -0400
Received: from localhost ([10.18.1.59]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v5OEcrVQ012124 for <kitten@ietf.org>; Sat, 24 Jun 2017 10:38:53 -0400
From: Greg Hudson <ghudson@mit.edu>
To: kitten@ietf.org
Date: Sat, 24 Jun 2017 10:38:53 -0400
Message-ID: <x7dk24130xu.fsf@equal-rites.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprHIsWRmVeSWpSXmKPExsUixG6noltf6RdpsOGOmMXRzatYHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVcfd2I1PBX72Kk7vOMTUwHlTtYuTkkBAwkbi5ZhJLFyMXh5DA YiaJpRfOMEM4xxkltl09zgZSJSTwhVFiybMMEJtNQFli/f6tLCC2iICwxO6t75hBbGEBK4l3 m44wgdgsAqoSq7ZvB4vzChhKzH+2nBHCFpQ4OfMJWC+zgITEwRcvmCcwcs9CkpqFJLWAkWkV o2xKbpVubmJmTnFqsm5xcmJeXmqRrqFebmaJXmpK6SZGUBBwSvLsYDzzxusQowAHoxIPb4a3 b6QQa2JZcWXuIUZJDiYlUd7YMz6RQnxJ+SmVGYnFGfFFpTmpxYcYJTiYlUR4ecL9IoV4UxIr q1KL8mFS0hwsSuK8EhqNEUIC6YklqdmpqQWpRTBZGQ4OJQle4QqgRsGi1PTUirTMnBKENBMH J8hwHqDhkmDDiwsSc4sz0yHypxhVORqmb/3CJMSSl5+XKiXOOwVkkABIUUZpHtycV4ziQO8I 8yaBZHmAkQ434RXQcCag4TPW+IAML0lESEk1MCa6sHs0NhZuj8r7tZqdLT1vvq60aPDX1lPV b9OPsBWf1Hy6NTT40maV4B0dJ/guRz2Zrm8f6buCm1XgurKt+Bb94OO+/SZ/61lcJmmsF36a tLLoj5Hu03cyDzLveIl/OdNjvV95583/nn+jp31nmy3/LWmC4POZHlknDe1DDgv5vaot9bf8 osRSnJFoqMVcVJwIAAHFxKyxAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/zEZ-PqqgSUgme1nN5Jl_YzgvDzQ>
Subject: [kitten] Review of draft-ietf-kitten-channel-bound-flag-01
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Jun 2017 14:38:59 -0000
Here are my semantic concerns: Section 1: * Paragraph 2 discusses taking advantage of implementation behavior to deploy channel bindings on initiators first, then acceptors. A naive reader might conclude that this is sufficient, because an acceptor can be configured to not provide channel bindings if it does not wish to require all initiators to provide them as well. It would be helpful to explain that the value obtained by providing channel bindings on the acceptor without enforcing them, which is that participating initiators gain protection against MITM attacks. * Paragraph 4 should either be omitted or made more specific. It's interesting to me that SSPI implements these semantics (all of them or just the existence of a channel-bound ret flag?), but that should be stated directly or just skipped. Section 1.1: * "[RFC2743] seems to indicate that mechanisms must ignore channel bindings when one party provided none." What part of RFC 2743? How does this statement square with "This facility is meant to be all-or-nothing" in the introduction? * The remainder of this paragraph seems redundant with the top material in section 1. Sections 1.2-1.4: these sections are kind of informal and may not all be of interest to implementors. I think it's worth saying that gss_create_sec_context() is expected to lead to simpler stepper functions in the future, but the rest can probably go. Section 2.2: * The term "understood" is a little unclear, and aside from the new channel-bound flag, it's unclear how a mechanism should process the absence of an understood flag. Out of band, Nico has said that he doesn't expect the mechanism to pare down its set of ret_flags based on ret_flags_understood (e.g. it should not omit the mutual-auth flag if the application doesn't include it in ret_flags_understood). So the mechanism should only consult ret_flags_understood when it really needs to know, such as with the new channel-bound flag. The draft should make that clear. * The new gss_set_context_flags() call allows us to specify req_flags to gss_accept_sec_context(), which is an intentional addition. However, we have no immediate use for it, and the draft doesn't make it clear whether an existing mechanism should do anything with existing req_flags on the acceptor. Section 2.2.1: * Naming the parameter "ret_flags" rather than "ret_flags_understood" in the C bindings appears to create some confusion as to what should be done with the flags. Section 2.4 and 2.5: * For background, the overall purpose of this draft is to make channel bindings fit the GSS-API model where the caller asks for things and then checks whether it actually got them. On the initiator it is awkward to achieve this goal, since the krb5 mech does not have channel binding confirmation and other existing mechanisms may not have it either. Thus the draft specifies new mechanism attributes to express whether a mechanism has channel binding confirmation, and a request flag to filter SPNEGO mechanisms according to whether they can confirm channel bindings. Nico has a plan to extend the krb5 mech's mutual-auth response to confirm channel bindings, likely using GSS_C_CB_CONFIRM_FLAG (2048) in the 8003 checksum flags value as a negotiation bit. * GSS_C_MA_CBINDING_MAY_CONFIRM does not really express where the krb5 mech will wind up after the mutual auth response is extended, as channel bindings will only be confirmed if the initiator requests mutual auth, and possibly only if the mechanism choose an RFC 4121 enctype. * The specification of req_cb_confirmation_flag is wishy-washy as to whether it allows SPNEGO to choose a mechanism that might only possibly be able to confirm channel bindings. I'm not sure that this request flag will ever wind up being useful to callers. * "the pseudo-mechanism MUST NOT negotiate any mechanisms that lack the GSS_C_MA_CBINDING_CONFIRM or GSS_C_MA_CBINDING_MAY_CONFIRM mechanism attributes" reads to me as "mechanisms must have both attributes to qualify", but from context I think it is supposed to mean "mechanisms must have one of the two attributes to qualify". Section 2.6: * Here we specify the behavior of gss_delete_sec_context on an empty context. We should also specify the behavior an the application tries to use an empty context with gss_inquire_sec_context(), gss_wrap(), etc.. Per discussion with Nico, doing so should result in GSS_S_NO_CONTEXT, just as if the application supplied GSS_C_NO_CONTEXT to those functions. Section 3: * The third requirement says that init_sec_context SHOULD be lax about the acceptor not providing channel bindings, but notes that "It is possible that not all security mechanism protocols can implement this requirement easily." In contrast, the fourth requirement says that init_sec_context MUST be lax if the caller understands ret_channel_bound_flag. The fourth requirement doesn't seem to square with the proviso on the third. If a mechanism can conform to the fourth requirement, then it seems like it can also conform to the third requirement. And here are a few copy-editing notes: Abstract: * "This document addresses both, the..." should not have the comma. Section 2.2: * undestands -> understands * "individual elements -one-per-flag- instead" -> "individual elements--one per flag--instead" Section 3: * There are multiple instances of "Whenever [something] shall have [done something]", which doesn't look right to me. Omitting the word "shall", and sometimes changing "have" to "has", makes them look better. * "Whenever both, the initiator..." should not have the comma. * "This is a restatement... restated for the reader's convenience" should either omit "a restatement of" or the final clause.
- [kitten] Review of draft-ietf-kitten-channel-boun… Greg Hudson
- Re: [kitten] Review of draft-ietf-kitten-channel-… Benjamin Kaduk