IETF Logo Mail Archive

[kitten] CB data characteristics Re: Fw: New Version Notification for draft-mills-kitten-sasl-oauth-02

"William J. Mills" <wmills@yahoo-inc.com> Sat, 09 April 2011 00:09 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4A9CD3A6A42 for <kitten@core3.amsl.com>; Fri, 8 Apr 2011 17:09:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9277oAc2OpRb for <kitten@core3.amsl.com>; Fri, 8 Apr 2011 17:09:07 -0700 (PDT)
Received: from web32303.mail.mud.yahoo.com (web32303.mail.mud.yahoo.com [68.142.207.151]) by core3.amsl.com (Postfix) with SMTP id DD31C3A6A20 for <kitten@ietf.org>; Fri, 8 Apr 2011 17:09:06 -0700 (PDT)
Received: (qmail 74039 invoked by uid 60001); 9 Apr 2011 00:10:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1302307848; bh=dDz4SQK6hdeM9wOJmR//zXSI2bT9CCGPlXKoOnzPh9M=; h=Message-ID:X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=SYyxL+Vm8BHHBqVMbFdbfuImlDv5yjIy3T2GHEOr9u/HiVzQO5AZ7mk0OxiQ5CKDz5gsD4Xj3t7JLVTbjAnY6qvpLtbLP+No+GI5yQ7zouJecKnPh/06oCnuyQBiKt5OYzIsPIWdOrzsB/GkvD2wzNb0p9vswjm19ofsr0Q6wXM=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=Message-ID:X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=RAmSC5HojdegbVVPULMSGQlrZG95TYonlCM4OMSowm6KJdiQ3IqjHij7DDY49cpoQ3GaRYU5B63JSNn/2LwPusJnp6veFnFZjRnA/dgqdohXBNzSraDtfv3uZUs0E95O1zF8UbkIYSuPJdqNhEOE0waxzvvmAh12Gn4cDIFzFag=;
Message-ID: <991228.73942.qm@web32303.mail.mud.yahoo.com>
X-YMail-OSG: Fhj1MBQVM1kK2L8Gr26Z.4ODbxPZ5EODe5LXEj155elNxa2 CQZhbfgCVa7EE84dUJ5ERygJXciMThLOHUv_ilBDVY3TPtN5G6p493Ez4qXt 37Xo6t9I6L6MjVoLdRKNMyIDLwfvC8ZCHuQg6c3hjgc53OrCTQ7T.Gho7qdB p52aUzVXmKrLS_Lk2KBS8me81SpKvxW3i5D3QVF6Sm5cmcWCJrkAeqaMQxEW 4XOtexT6VET_34HYk9Xq.ZDH1MfvATsCNZT8flXB4L4C2cJzOdHM9R6oez4q TWqJeuaTJ9laYQQUWvU7kRih2LbLMSGrr4hGmacXILTN9eY2dnPiemEEYvmq 8XML9SiwFsihoRl4khPftafnr0B9zG3FR
Received: from [209.131.62.115] by web32303.mail.mud.yahoo.com via HTTP; Fri, 08 Apr 2011 17:10:48 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.110.299900
References: <20110408070506.12ECB3A6A4C@core3.amsl.com> <416848.75882.qm__16525.0710481361$1302247955$gmane$org@web32314.mail.mud.yahoo.com> <87hba9b13i.fsf@latte.josefsson.org> <tsl4o684s5q.fsf@mit.edu> <754979.46407.qm@web32303.mail.mud.yahoo.com> <tslr59c3asv.fsf@mit.edu> <7EE86E89365CA94F8E7B8251F926071007AC12BC@CIO-KRC-D1MBX01.osuad.osu.edu> <tslipuo378b.fsf@mit.edu> <7EE86E89365CA94F8E7B8251F926071007AC141F@CIO-KRC-D1MBX01.osuad.osu.edu> <BANLkTi=XyB7cAF7wmC0mjQKgNsbWhT7QgA@mail.gmail.com>
Date: Fri, 08 Apr 2011 17:10:48 -0700
From: "William J. Mills" <wmills@yahoo-inc.com>
To: "kitten@ietf.org" <kitten@ietf.org>
In-Reply-To: <BANLkTi=XyB7cAF7wmC0mjQKgNsbWhT7QgA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-479900375-1302307848=:73942"
Subject: [kitten] CB data characteristics Re: Fw: New Version Notification for draft-mills-kitten-sasl-oauth-02
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "William J. Mills" <wmills@yahoo-inc.com>
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Apr 2011 00:09:08 -0000

Related questions about channel binding data...

CB data is prefixed with the channel binding scheme name and a colon, is there BNF or a definition for what the rest of that looks like?  Do I need to base64 it to make it safe to move in an HTML context?

Also, how big will it end up?  I suppose an SSL certificate can be a few k in the extreme case.

Thanks,

-bill


________________________________
From: Nico Williams <nico@cryptonector.com>
To: "Cantor, Scott E." <cantor.2@osu.edu>
Cc: "kitten@ietf.org" <kitten@ietf.org>; Simon Josefsson <simon@josefsson.org>; Tim Showalter <timshow@yahoo-inc.com>; Sam Hartman <hartmans-ietf@mit.edu>
Sent: Friday, April 8, 2011 12:35 PM
Subject: Re: [kitten] Fw: New Version Notification for draft-mills-kitten-sasl-oauth-02

On Fri, Apr 8, 2011 at 2:27 PM, Cantor, Scott E. <cantor.2@osu.edu> wrote:
>> Unless I'm missing something (wouldn't be the first time) I think 1 and
>> 2 are sufficient for a non-HTTP use case.
>
> It's sufficient for a persistent connection. I think you answered the other case by mentioning cookies. Normally that has a fairly perjorative connotation, but since the client here isn't a browser (read browser as "security sinkhole"), such a cookie isn't a cookie in the "anybody can probably steal it" sense.

HTTP, by its nature, only really allows you to use cookies to tie all
the requests (and responses) that make up an application "session".
Ideally there'd be a little more to it.  For example, the application
could use TLS session IDs to map HTTPS requests and responses to
application sessions, but this is complicated (there could be many TLS
sessions mapping onto one application session, with new TLS sessions
added at any time) and not actually done in practice.  Or the client
and server could share an established GSS security context and place a
MIC in the request/response headers -- a MIC of the request/response
body, and maybe some security-sensitive headers.  But that's not the
HTTP that we have.  HTTP as it is and as we use it allows us only the
use of cookies for this purpose.

Fortunately we also have HTTPS, and we're talking about doing CB.  So
setting a secure-only cookie has been, is, and will continue to be a
reasonable thing to do to solve this particular problem.

Nico
--
_______________________________________________
Kitten mailing list
Kitten@ietf.org
https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email