[saag] Channel binding is great but not a silver bullet
Sam Hartman <hartmans-ietf@mit.edu> Thu, 26 February 2009 20:19 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 351C528C15F for <saag@core3.amsl.com>; Thu, 26 Feb 2009 12:19:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.293
X-Spam-Level:
X-Spam-Status: No, score=-2.293 tagged_above=-999 required=5 tests=[AWL=-0.028, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tybqzK+kHtTw for <saag@core3.amsl.com>; Thu, 26 Feb 2009 12:19:54 -0800 (PST)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by core3.amsl.com (Postfix) with ESMTP id 81F3228C142 for <saag@ietf.org>; Thu, 26 Feb 2009 12:19:54 -0800 (PST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 4BEDB4245; Thu, 26 Feb 2009 15:20:06 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Nicolas Williams <Nicolas.Williams@sun.com>
References: <2788466ED3E31C418E9ACC5C3166155768B2CB@mou1wnexmb09.vcorp.ad.vrsn.com> <0c2301c9979f$8a1cd770$0600a8c0@china.huawei.com> <2788466ED3E31C418E9ACC5C3166155768B2CE@mou1wnexmb09.vcorp.ad.vrsn.com> <20090226143809.GF7227@mit.edu> <1235663917.3293.16.camel@localhost> <20090226165448.GK9992@Sun.COM>
Date: Thu, 26 Feb 2009 15:20:06 -0500
In-Reply-To: <20090226165448.GK9992@Sun.COM> (Nicolas Williams's message of "Thu, 26 Feb 2009 10:54:48 -0600")
Message-ID: <tslprh5rlvt.fsf_-_@mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: der Mouse <mouse@Rodents-Montreal.ORG>, saag@ietf.org
Subject: [saag] Channel binding is great but not a silver bullet
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2009 20:19:55 -0000
Nico, while I'm in favor of channel binding and believe your approach has a lot of value, please be careful to apply it only where applicable. Phil is talking about the web browser PKI. Channel binding to existing authentication solves some problems in that space, but definitely not all. For example it is not useful for securing enrollment or certain classes of URI-only handoff. So, I think the web will continue to need a PKI.:-)
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- [saag] SHA-1 to SHA-n transition Stephen Kent
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Hannes Tschofenig
- Re: [saag] SHA-1 to SHA-n transition Stephen Kent
- Re: [saag] SHA-1 to SHA-n transition Chandersekaran, Coimbatore S
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Yoav Nir
- Re: [saag] SHA-1 to SHA-n transition Pasi.Eronen
- Re: [saag] SHA-1 to SHA-n transition David McGrew
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Santosh Chokhani
- Re: [saag] SHA-1 to SHA-n transition der Mouse
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Paul Hoffman
- Re: [saag] SHA-1 to SHA-n transition David Harrington
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Michael O'Neill
- Re: [saag] SHA-1 to SHA-n transition Theodore Tso
- [saag] Deployment Deadlock Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Bill Sommerfeld
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- [saag] Channel binding is great but not a silver … Sam Hartman
- Re: [saag] Channel binding is great but not a sil… Nicolas Williams
- Re: [saag] Channel binding is great but not a sil… Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] Channel binding is great but not a sil… Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] Channel binding is great but not a sil… Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] Channel binding is great but not a sil… Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] Channel binding is great but not a sil… Alan DeKok
- Re: [saag] Channel binding is great but not a sil… Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] Channel binding is great but not a sil… Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] Channel binding is great but not a sil… Alan DeKok
- [saag] Or grow a real PKI (Re: SHA-1 to SHA-n tra… Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Stephen Kent
- Re: [saag] Channel binding is great but not a sil… Stephen Kent
- Re: [saag] Channel binding is great but not a sil… Stephen Kent
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Stephen Kent
- Re: [saag] Channel binding is great but not a sil… Nicolas Williams
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Nicolas Williams
- Re: [saag] Deployment Deadlock Pasi.Eronen
- Re: [saag] Deployment Deadlock Hallam-Baker, Phillip
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Hallam-Baker, Phillip
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Stephen Kent
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Theodore Tso
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Bill Sommerfeld
- [saag] Credential portability RE: SHA-1 to SHA-n … Hallam-Baker, Phillip