IETF Logo Mail Archive

Re: [saag] Additions to RFC 3631?

Nico Williams <nico@cryptonector.com> Mon, 21 May 2012 18:07 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C71FE21F8611 for <saag@ietfa.amsl.com>; Mon, 21 May 2012 11:07:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nA8MXzU7i8-L for <saag@ietfa.amsl.com>; Mon, 21 May 2012 11:07:04 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (caiajhbdcagg.dreamhost.com [208.97.132.66]) by ietfa.amsl.com (Postfix) with ESMTP id 7C99621F85DF for <saag@ietf.org>; Mon, 21 May 2012 11:07:03 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id 3917894065 for <saag@ietf.org>; Mon, 21 May 2012 11:07:03 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=dDKeULUI0FmMocZprOlgaw3jWwoNjALdj1VG3cTTG7NE 6gStkCnnAQGKuHabnOIQtYpYvaecTFd7PQ6O5vvYiixZaIZaFAwlwU6FSCO2Uo/M qTIkNmEAXv2JihFLQjajgoRSkoReExOohZ0rFFyTdEbXl7hF7YjKjrR3er5HFKo=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=aqJ+7j6jGpDdmljTEI/INoWQnlw=; b=NUZNzcTs6iU xWjr84sue4zaBtGeqVb4ZjiuuoiVqk9/gJwNoLdN8if+KizzTmFyjTw1ffVJcQmo dEBBYDJ7I+pNdjzXIz+oD+dIZVYK0mcqcedSWpESMKRjMdklsGZ37L0KZBsZeBDz LHHWPZKOA8DOFL1BN1GLNrjo8MkZAxb4=
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPSA id 18ECD94064 for <saag@ietf.org>; Mon, 21 May 2012 11:07:03 -0700 (PDT)
Received: by pbcwy7 with SMTP id wy7so7416791pbc.31 for <saag@ietf.org>; Mon, 21 May 2012 11:07:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.226.73 with SMTP id rq9mr18029122pbc.145.1337623622765; Mon, 21 May 2012 11:07:02 -0700 (PDT)
Received: by 10.68.5.99 with HTTP; Mon, 21 May 2012 11:07:02 -0700 (PDT)
In-Reply-To: <416327B2-6E60-4D09-B3E7-D314F4FDD4E1@cs.columbia.edu>
References: <300A2E9F-E99B-46FA-A101-E3611BD0D197@cs.columbia.edu> <877gw69h81.fsf@latte.josefsson.org> <4FB9ECA4.3010904@gmail.com> <D54BB652-9B1D-4A19-8F8F-AF288E4ADE24@cs.columbia.edu> <78F24BEE-DD3B-474D-9E0B-1AC73CBE373A@vpnc.org> <CAK3OfOj=jR4R+hBDTcv-DNqqU0AdHHonSTOmsMpR3ZqmhDmbdQ@mail.gmail.com> <416327B2-6E60-4D09-B3E7-D314F4FDD4E1@cs.columbia.edu>
Date: Mon, 21 May 2012 13:07:02 -0500
Message-ID: <CAK3OfOjJviVNPpHfsie_KToVfO2rNB3Bq6MgkQvfuPSSKMhkog@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Steven Bellovin <smb@cs.columbia.edu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, IETF Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] Additions to RFC 3631?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 May 2012 18:07:04 -0000

On Mon, May 21, 2012 at 12:59 PM, Steven Bellovin <smb@cs.columbia.edu> wrote:
> On May 21, 2012, at 1:06 49PM, Nico Williams wrote:
>> On Mon, May 21, 2012 at 11:42 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:>>> +1 to adding EAP as a mechanism.
>>>
>>> +/-0 to adding channel bindings, given how few people understand them.
>>
>> EIther it's important/useful or not.  If it is then having some text
>> in this RFC would help those people who don't understand CB.
>>
> I agree.

But is it important/useful?

Given that MSFT has implemented and deployed it I think it's at least useful.

I do think CB is important -- certainly as a protocol design/analysis
tool.  I also think it should be used more often.  You'd think I would
think that, given that I'm the author of RFC5056, but I like to think
that I'm objective enough on this topic...  enough so that I can tell
you what the biggest problem with CB is: the fact that it's one more
thing that the application developer has to know about and do.  It'd
be nice if more of the protocol stack up to and including
application-layer authentication (where there is the option to do
that) were abstracted.  Still, CB is relatively simple: extract the CB
from the channel, feed it to authentication.

Nico
--

v2.23.0 | Report a Bug | By Email