IETF Logo Mail Archive

[saag] Channel binding is great but not a silver bullet

Sam Hartman <hartmans-ietf@mit.edu> Thu, 26 February 2009 20:19 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 351C528C15F for <saag@core3.amsl.com>; Thu, 26 Feb 2009 12:19:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.293
X-Spam-Level:
X-Spam-Status: No, score=-2.293 tagged_above=-999 required=5 tests=[AWL=-0.028, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tybqzK+kHtTw for <saag@core3.amsl.com>; Thu, 26 Feb 2009 12:19:54 -0800 (PST)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by core3.amsl.com (Postfix) with ESMTP id 81F3228C142 for <saag@ietf.org>; Thu, 26 Feb 2009 12:19:54 -0800 (PST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 4BEDB4245; Thu, 26 Feb 2009 15:20:06 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Nicolas Williams <Nicolas.Williams@sun.com>
References: <2788466ED3E31C418E9ACC5C3166155768B2CB@mou1wnexmb09.vcorp.ad.vrsn.com> <0c2301c9979f$8a1cd770$0600a8c0@china.huawei.com> <2788466ED3E31C418E9ACC5C3166155768B2CE@mou1wnexmb09.vcorp.ad.vrsn.com> <20090226143809.GF7227@mit.edu> <1235663917.3293.16.camel@localhost> <20090226165448.GK9992@Sun.COM>
Date: Thu, 26 Feb 2009 15:20:06 -0500
In-Reply-To: <20090226165448.GK9992@Sun.COM> (Nicolas Williams's message of "Thu, 26 Feb 2009 10:54:48 -0600")
Message-ID: <tslprh5rlvt.fsf_-_@mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: der Mouse <mouse@Rodents-Montreal.ORG>, saag@ietf.org
Subject: [saag] Channel binding is great but not a silver bullet
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2009 20:19:55 -0000

Nico, while I'm in favor of channel binding and believe your approach
has a lot of value, please be careful to apply it only where applicable.

Phil is talking about the web browser PKI.  Channel binding to
existing authentication solves some problems in that space, but
definitely not all.  For example it is not useful for securing
enrollment or certain classes of URI-only handoff.

So, I think the web will continue to need a PKI.:-)

v2.23.0 | Report a Bug | By Email