Re: [saag] Channel binding is great but not a silver bullet

Nicolas Williams <Nicolas.Williams@sun.com> Mon, 02 March 2009 16:09 UTC

Date: Mon, 02 Mar 2009 10:00:36 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
Message-ID: <20090302160035.GF9992@Sun.COM>
References: <2788466ED3E31C418E9ACC5C3166155768B2CB@mou1wnexmb09.vcorp.ad.vrsn.com> <0c2301c9979f$8a1cd770$0600a8c0@china.huawei.com> <2788466ED3E31C418E9ACC5C3166155768B2CE@mou1wnexmb09.vcorp.ad.vrsn.com> <20090226143809.GF7227@mit.edu> <1235663917.3293.16.camel@localhost> <20090226165448.GK9992@Sun.COM> <tslprh5rlvt.fsf_-_@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <tslprh5rlvt.fsf_-_@mit.edu>
User-Agent: Mutt/1.5.7i
Cc: der Mouse <mouse@Rodents-Montreal.ORG>, saag@ietf.org
Subject: Re: [saag] Channel binding is great but not a silver bullet
Precedence: list

On Thu, Feb 26, 2009 at 03:20:06PM -0500, Sam Hartman wrote:
> Nico, while I'm in favor of channel binding and believe your approach
> has a lot of value, please be careful to apply it only where applicable.

I'm mildly offended by your comment.  This is not channel binding as an
end -- it'd be silly to treat channel binding as end in itself, and if
you imply that that's what I'm doing then I categorically reject that.

This is channel binding as a means to an end, not as the end.  The end
is mutual authentication without a PKI but with [optional] federation.

> Phil is talking about the web browser PKI.  Channel binding to
> existing authentication solves some problems in that space, but
> definitely not all.  For example it is not useful for securing
> enrollment or certain classes of URI-only handoff.

My proposal does not solve enrolment, and though enrolment is the same
problem as the base problem, enrolment is also rare, therefore a simpler
problem.

There are two kinds of enrolment: those where the user is willing to use
a pre-existing business relationship, and those where the user is not.
For the former one could use SMS, much the way Google handles gmail
account creation, and, with somewhat less privacy, any ISP-mediated
federation will do as well -- heck, one could have coffee-house mediated
federation.  For the latter the existing weak PKI will just have to do,
but arguably if you're signing up for a hotmail or gmail account without
a pre-existing relationship then you get what you pay for, and anyways,
eventually you'll notice if you've enrolled through an MITM (because the
MITM won't always be able to be in the middle!).

> So, I think the web will continue to need a PKI.:-)

Yes, but if we solve the mutual authentication case then for the cases
where we don't need mutual authentication we can probably live with a
weak PKI.

Nico
--

Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
[saag] SHA-1 to SHA-n transition Stephen Kent
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] SHA-1 to SHA-n transition Hannes Tschofenig
Re: [saag] SHA-1 to SHA-n transition Stephen Kent
Re: [saag] SHA-1 to SHA-n transition Chandersekaran, Coimbatore S
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Yoav Nir
Re: [saag] SHA-1 to SHA-n transition Pasi.Eronen
Re: [saag] SHA-1 to SHA-n transition David McGrew
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Santosh Chokhani
Re: [saag] SHA-1 to SHA-n transition der Mouse
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Paul Hoffman
Re: [saag] SHA-1 to SHA-n transition David Harrington
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Michael O'Neill
Re: [saag] SHA-1 to SHA-n transition Theodore Tso
[saag] Deployment Deadlock Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Bill Sommerfeld
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
[saag] Channel binding is great but not a silver … Sam Hartman
Re: [saag] Channel binding is great but not a sil… Nicolas Williams
Re: [saag] Channel binding is great but not a sil… Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] Channel binding is great but not a sil… Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] Channel binding is great but not a sil… Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] Channel binding is great but not a sil… Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] Channel binding is great but not a sil… Alan DeKok
Re: [saag] Channel binding is great but not a sil… Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
Re: [saag] Channel binding is great but not a sil… Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] Channel binding is great but not a sil… Alan DeKok
[saag] Or grow a real PKI (Re: SHA-1 to SHA-n tra… Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] SHA-1 to SHA-n transition Stephen Kent
Re: [saag] Channel binding is great but not a sil… Stephen Kent
Re: [saag] Channel binding is great but not a sil… Stephen Kent
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Stephen Kent
Re: [saag] Channel binding is great but not a sil… Nicolas Williams
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Nicolas Williams
Re: [saag] Deployment Deadlock Pasi.Eronen
Re: [saag] Deployment Deadlock Hallam-Baker, Phillip
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Hallam-Baker, Phillip
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Stephen Kent
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Theodore Tso
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Bill Sommerfeld
[saag] Credential portability RE: SHA-1 to SHA-n … Hallam-Baker, Phillip