Re: [sasl] "Last call" on draft-altman-tls-channel-bindings-05.txt
Nicolas Williams <Nicolas.Williams@sun.com> Mon, 31 August 2009 20:15 UTC
Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: sasl@core3.amsl.com
Delivered-To: sasl@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DC9F228C55C for <sasl@core3.amsl.com>; Mon, 31 Aug 2009 13:15:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.853
X-Spam-Level:
X-Spam-Status: No, score=-5.853 tagged_above=-999 required=5 tests=[AWL=0.193, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0WxP7NrP6vnm for <sasl@core3.amsl.com>; Mon, 31 Aug 2009 13:15:10 -0700 (PDT)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id 988D128C553 for <sasl@ietf.org>; Mon, 31 Aug 2009 13:15:10 -0700 (PDT)
Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7VKFLvC033888 for <ietf-sasl@imc.org>; Mon, 31 Aug 2009 13:15:22 -0700 (MST) (envelope-from Nicolas.Williams@sun.com)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id n7VKFLj8013590 for <ietf-sasl@imc.org>; Mon, 31 Aug 2009 20:15:21 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id n7VKFKOl028363 for <ietf-sasl@imc.org>; Mon, 31 Aug 2009 14:15:20 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n7VJur8L007611; Mon, 31 Aug 2009 14:56:53 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n7VJuq2f007610; Mon, 31 Aug 2009 14:56:52 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Mon, 31 Aug 2009 14:56:52 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: ietf-sasl@imc.org, tls@ietf.org
Message-ID: <20090831195652.GV1033@Sun.COM>
References: <20090818213427.GU1043@Sun.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20090818213427.GU1043@Sun.COM>
User-Agent: Mutt/1.5.7i
Subject: Re: [sasl] "Last call" on draft-altman-tls-channel-bindings-05.txt
X-BeenThere: sasl@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SASL Working Group <sasl.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sasl>, <mailto:sasl-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sasl>
List-Post: <mailto:sasl@ietf.org>
List-Help: <mailto:sasl-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sasl>, <mailto:sasl-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Aug 2009 20:15:11 -0000
I've just posted version -06, incorporating all changes agreed so far. This pseudo-WGLC started on August 18th. Tomorrow I'll ask Pasi to take the next step in the publication process. Thanks, Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7JMjClP006391 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 19 Aug 2009 15:45:12 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n7JMjCWS006390; Wed, 19 Aug 2009 15:45:12 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from sca-ea-mail-1.sun.com (sca-ea-mail-1.Sun.COM [192.18.43.24]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7JMjAUj006383 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for <ietf-sasl@imc.org>; Wed, 19 Aug 2009 15:45:11 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n7JMjAt9009231 for <ietf-sasl@imc.org>; Wed, 19 Aug 2009 22:45:10 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id n7JMjAj7064386 for <ietf-sasl@imc.org>; Wed, 19 Aug 2009 16:45:10 -0600 (MDT) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n7JMQw4c004584; Wed, 19 Aug 2009 17:26:58 -0500 (CDT) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n7JMQwpe004583; Wed, 19 Aug 2009 17:26:58 -0500 (CDT) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Wed, 19 Aug 2009 17:26:58 -0500 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Simon Josefsson <simon@josefsson.org> Cc: ietf-sasl@imc.org, tls@ietf.org Subject: Re: [TLS] "Last call" on draft-altman-tls-channel-bindings-05.txt Message-ID: <20090819222658.GT1043@Sun.COM> References: <20090818213427.GU1043@Sun.COM> <87ljlgbv2a.fsf@mocca.josefsson.org> <20090819212223.GN1043@Sun.COM> <87d46r4f19.fsf@mocca.josefsson.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87d46r4f19.fsf@mocca.josefsson.org> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Thu, Aug 20, 2009 at 12:25:38AM +0200, Simon Josefsson wrote: > Nicolas Williams <Nicolas.Williams@sun.com> writes: > > But I don't want to guess at what might happen in the future > > of digital signatures. > > I agree, we could decide to not resolve this concern. > > > Instead I'd rather either say either that tls-server-end-point CB is > > undefined if the cert's signature alg does not use a signature, or > > pick a hash function (e.g., SHA-512) to use in such cases. > > If use of SHA-512 is hard-coded, we run into problem when it is phased > out. Negotiation any other hash function will be tricky. Alas, I'm not > sure leaving it undefined is any better: negotiating what hash function > to use in that situation seems equally tricky. I chatted with Jeff Hutzelman about this, and we both concluded that leaving tls-server-end-point undefined in this case is acceptable because we could change the spec to define tls-server-end-point for such signature algorithms when they arise. > This is one reason where deriving channel binding data from the TLS > channel using tls-extractor appears more robust: it leaves negotiation > of the hash function to the TLS protocol. tls-unique does that already (though not using the extractor). We're talking about end-point channel binding types here, which are independent of actual channels, therefore we couldn't use the extractor. Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7JMeiF6006009 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 19 Aug 2009 15:40:44 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n7JMeiiP006008; Wed, 19 Aug 2009 15:40:44 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from sca-ea-mail-1.sun.com (sca-ea-mail-1.Sun.COM [192.18.43.24]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7JMegGx006002 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for <ietf-sasl@imc.org>; Wed, 19 Aug 2009 15:40:43 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n7JMeg7s008446 for <ietf-sasl@imc.org>; Wed, 19 Aug 2009 22:40:42 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id n7JMef5o062222 for <ietf-sasl@imc.org>; Wed, 19 Aug 2009 16:40:41 -0600 (MDT) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n7JMMU9U004576; Wed, 19 Aug 2009 17:22:30 -0500 (CDT) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n7JMMUYM004575; Wed, 19 Aug 2009 17:22:30 -0500 (CDT) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Wed, 19 Aug 2009 17:22:29 -0500 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Simon Josefsson <simon@josefsson.org> Cc: ietf-sasl@imc.org, tls@ietf.org Subject: Re: [TLS] "Last call" on draft-altman-tls-channel-bindings-05.txt Message-ID: <20090819222229.GS1043@Sun.COM> References: <20090818213427.GU1043@Sun.COM> <87ljlgbv2a.fsf@mocca.josefsson.org> <20090819212223.GN1043@Sun.COM> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090819212223.GN1043@Sun.COM> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Wed, Aug 19, 2009 at 04:22:24PM -0500, Nicolas Williams wrote: > On Wed, Aug 19, 2009 at 12:45:17AM +0200, Simon Josefsson wrote: > > For completeness, I would add: > > > > This algorithm agility resolution mechanism assumes that there is a > > mapping from every Public-key signature algorithm to one hash > > function algorithm. This is the case for all practically used public > > key signature algorithms today, but if future public-key signature > > algorithms would employ multiple hash functions (or none at all) this > > specification needs to be updated to resolve which hash function > > should be used. > > This brings up a question: what to do in the case of randomized digital > signatures? In the case of NIST-SP-800-106 there's still a hash > function, so that's OK. But one can imagine a digital signature > algorithm where a MAC and random key are used instead of a hash. > > ... > > But I don't want to guess at what might happen in the future > of digital signatures. Instead I'd rather either say either > that tls-server-end-point CB is undefined if the cert's > signature alg does not use a signature, or pick a hash > function (e.g., SHA-512) to use in such cases. After asking others I propose the former solution: Description: The hash of the TLS server's certificate [RFC5280] as it appears, octet for octet, in the server's Certificate message (note that the Certificate message contains a certificate_list, the first element of which is the server's certificate.) The hash function is to be selected as follows: - if the certificate's signatureAlgorithm uses a single hash function, and that hash function is either MD5 [RFC1321] or SHA-1 [RFC3174] then use SHA-256 [FIPS-180-2]; - if the certificate's signatureAlgorithm uses a single hash function and that hash function neither MD5 nor SHA-1, then use the hash function associated with the certificate's signatureAlgorithm; - if the certificate's signatureAlgorithm uses no hash functions, or multiple hash functions, then this channel binding type's channel bindings are undefined at this time (updates to is channel binding type may occur to address this issue if it ever arises). Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7JMPsG5005260 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 19 Aug 2009 15:25:54 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n7JMPsQL005259; Wed, 19 Aug 2009 15:25:54 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7JMPjMO005224 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Wed, 19 Aug 2009 15:25:53 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (c80-216-31-183.bredband.comhem.se [80.216.31.183]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5) with ESMTP id n7JMPcBJ031296 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 20 Aug 2009 00:25:40 +0200 From: Simon Josefsson <simon@josefsson.org> To: Nicolas Williams <Nicolas.Williams@sun.com> Cc: ietf-sasl@imc.org, tls@ietf.org Subject: Re: "Last call" on draft-altman-tls-channel-bindings-05.txt References: <20090818213427.GU1043@Sun.COM> <87ljlgbv2a.fsf@mocca.josefsson.org> <20090819212223.GN1043@Sun.COM> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:090819:ietf-sasl@imc.org::KeyHv/WeE0AMzTIv:03lZ X-Hashcash: 1:22:090819:tls@ietf.org::0rTKIlPk8SZjIqkT:ZnPW X-Hashcash: 1:22:090819:nicolas.williams@sun.com::wy96xQShYma/iDOS:g3wg Date: Thu, 20 Aug 2009 00:25:38 +0200 In-Reply-To: <20090819212223.GN1043@Sun.COM> (Nicolas Williams's message of "Wed, 19 Aug 2009 16:22:24 -0500") Message-ID: <87d46r4f19.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-1.0 required=5.0 tests=AWL,BAYES_00, DATE_IN_FUTURE_96_XX,RDNS_DYNAMIC,SPF_FAIL autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on yxa-v.extundo.com X-Virus-Scanned: clamav-milter 0.95.2 at yxa-v X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Nicolas Williams <Nicolas.Williams@sun.com> writes: > But I don't want to guess at what might happen in the future > of digital signatures. I agree, we could decide to not resolve this concern. > Instead I'd rather either say either that tls-server-end-point CB is > undefined if the cert's signature alg does not use a signature, or > pick a hash function (e.g., SHA-512) to use in such cases. If use of SHA-512 is hard-coded, we run into problem when it is phased out. Negotiation any other hash function will be tricky. Alas, I'm not sure leaving it undefined is any better: negotiating what hash function to use in that situation seems equally tricky. This is one reason where deriving channel binding data from the TLS channel using tls-extractor appears more robust: it leaves negotiation of the hash function to the TLS protocol. /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7JLeiHZ002650 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 19 Aug 2009 14:40:44 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n7JLei21002648; Wed, 19 Aug 2009 14:40:44 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from sca-ea-mail-1.sun.com (sca-ea-mail-1.Sun.COM [192.18.43.24]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7JLecNK002636 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for <ietf-sasl@imc.org>; Wed, 19 Aug 2009 14:40:42 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n7JLebsm028052 for <ietf-sasl@imc.org>; Wed, 19 Aug 2009 21:40:37 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id n7JLebmJ027639 for <ietf-sasl@imc.org>; Wed, 19 Aug 2009 15:40:37 -0600 (MDT) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n7JLMOoK004480; Wed, 19 Aug 2009 16:22:24 -0500 (CDT) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n7JLMOUh004479; Wed, 19 Aug 2009 16:22:24 -0500 (CDT) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Wed, 19 Aug 2009 16:22:24 -0500 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Simon Josefsson <simon@josefsson.org> Cc: ietf-sasl@imc.org, tls@ietf.org Subject: Re: "Last call" on draft-altman-tls-channel-bindings-05.txt Message-ID: <20090819212223.GN1043@Sun.COM> References: <20090818213427.GU1043@Sun.COM> <87ljlgbv2a.fsf@mocca.josefsson.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87ljlgbv2a.fsf@mocca.josefsson.org> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Wed, Aug 19, 2009 at 12:45:17AM +0200, Simon Josefsson wrote: > For completeness, I would add: > > This algorithm agility resolution mechanism assumes that there is a > mapping from every Public-key signature algorithm to one hash > function algorithm. This is the case for all practically used public > key signature algorithms today, but if future public-key signature > algorithms would employ multiple hash functions (or none at all) this > specification needs to be updated to resolve which hash function > should be used. This brings up a question: what to do in the case of randomized digital signatures? In the case of NIST-SP-800-106 there's still a hash function, so that's OK. But one can imagine a digital signature algorithm where a MAC and random key are used instead of a hash. Traditionally a digital signature S'(Kp, M) = S(Kp, H(M)) while in NIST-SP-800-106 S'(Kp, M) = {rv = rng(rv_len), S(Kp, H(rv || (pad(M, rv_len) XOR xor_pad_gen(rv) || rv_length_indicator(rv_len)))) } One could imagine this, however: S'(Kp, M) = {mk = rng(), S(Kp, MAC(k, M))} in which case there'd be no hash function. Of course, we could define a pseudo-hash function in that case: H(x) = MAC(mk, x), where mk is the mk that would appear in the signature. But I don't want to guess at what might happen in the future of digital signatures. Instead I'd rather either say either that tls-server-end-point CB is undefined if the cert's signature alg does not use a signature, or pick a hash function (e.g., SHA-512) to use in such cases. Comments? Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7JHOx5g003728 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 19 Aug 2009 10:24:59 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n7JHOxbX003727; Wed, 19 Aug 2009 10:24:59 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from sca-ea-mail-1.sun.com (sca-ea-mail-1.Sun.COM [192.18.43.24]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7JHOY0i003699 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for <ietf-sasl@imc.org>; Wed, 19 Aug 2009 10:24:43 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n7JGZqFO013219 for <ietf-sasl@imc.org>; Wed, 19 Aug 2009 16:35:56 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id n7JGZpEQ043975 for <ietf-sasl@imc.org>; Wed, 19 Aug 2009 10:35:51 -0600 (MDT) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n7JGHXVB004013; Wed, 19 Aug 2009 11:17:33 -0500 (CDT) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n7JGHSpp004012; Wed, 19 Aug 2009 11:17:28 -0500 (CDT) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Wed, 19 Aug 2009 11:17:28 -0500 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Simon Josefsson <simon@josefsson.org> Cc: ietf-sasl@imc.org, tls@ietf.org Subject: Re: "Last call" on draft-altman-tls-channel-bindings-05.txt Message-ID: <20090819161728.GB1043@Sun.COM> References: <20090818213427.GU1043@Sun.COM> <87ljlgbv2a.fsf@mocca.josefsson.org> <20090818225934.GW1043@Sun.COM> <87bpmcbqxd.fsf@mocca.josefsson.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87bpmcbqxd.fsf@mocca.josefsson.org> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Wed, Aug 19, 2009 at 02:14:38AM +0200, Simon Josefsson wrote: > Nicolas Williams <Nicolas.Williams@sun.com> writes: > > Description: ... > > Looks fine to me. > > > The text you quote is security considerations text; the normative text > > already says exactly what you ask for. But OK: > > > > ... The algorithm to be used, however, is derived from the > > certificate's signature as described in Section 4.1; to recap: use > > SHA-256 if the certificate signature algorithm uses MD5 or SHA-1, > > else use whatever hash function the certificate uses. > > There were two uses of "uses" in the sentence, and the second is still > present, but at least this is better than before. Ah yes: ... The algorithm to be used, however, is derived from the certificate's signature as described in Section 4.1; to recap: use SHA-256 if the certificate signature algorithm uses MD5 or SHA-1, else use whatever hash function the certificate signature algorithm uses. > > Now, section 4.1 says "if the certificate's signature hash algorithm is > > ...". But perhaps it should say "if the hash algorithm used in the > > certificate's signatureAlgorithm is ...", just to be really accurate and > > avoid any possible confusion (with, say, the algorithm field of > > SubjectPublicKeyInfo). Yes? > > The more precise the better, although SubjectPublicKeyInfo generally do > not imply any particular hash function. But for new implementers, it is > easy to go wrong if the text is not specific. So let's add that precision and address signature algs that don't use hash functions: Description: The hash of the TLS server's certificate [RFC5280] as it appears, octet for octet, in the server's Certificate message (note that the Certificate message contains a certificate_list, the first element of which is the server's certificate.) The hash function is to be selected as follows: if the hash algorithm used in the certificate's signatureAlgorithm is either MD5 [RFC1321] or SHA-1 [RFC3174] or if the certificate's signatureAlgorithm does not use any hash functions, then use SHA-256 [FIPS-180-2], otherwise use whatever hash algorithm is used by the certificate's signatureAlgorithm. Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7J0EvCG028849 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 18 Aug 2009 17:14:57 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n7J0Ev78028848; Tue, 18 Aug 2009 17:14:57 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7J0Es6h028842 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Tue, 18 Aug 2009 17:14:55 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (c80-216-31-183.bredband.comhem.se [80.216.31.183]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5) with ESMTP id n7J0Ect1002404 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 19 Aug 2009 02:14:47 +0200 From: Simon Josefsson <simon@josefsson.org> To: Nicolas Williams <Nicolas.Williams@sun.com> Cc: ietf-sasl@imc.org, tls@ietf.org Subject: Re: "Last call" on draft-altman-tls-channel-bindings-05.txt References: <20090818213427.GU1043@Sun.COM> <87ljlgbv2a.fsf@mocca.josefsson.org> <20090818225934.GW1043@Sun.COM> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:090819:ietf-sasl@imc.org::XcO9khQ7yKWKB+bJ:1zR4 X-Hashcash: 1:22:090819:nicolas.williams@sun.com::xQBD+AnB68GkFtvc:5LOR X-Hashcash: 1:22:090819:tls@ietf.org::9tI8e5seg85tFhXg:Bi0/ Date: Wed, 19 Aug 2009 02:14:38 +0200 In-Reply-To: <20090818225934.GW1043@Sun.COM> (Nicolas Williams's message of "Tue, 18 Aug 2009 17:59:34 -0500") Message-ID: <87bpmcbqxd.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-1.0 required=5.0 tests=AWL,BAYES_00, DATE_IN_FUTURE_96_XX,RDNS_DYNAMIC,SPF_FAIL autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on yxa-v.extundo.com X-Virus-Scanned: clamav-milter 0.95.2 at yxa-v X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Nicolas Williams <Nicolas.Williams@sun.com> writes: > On Wed, Aug 19, 2009 at 12:45:17AM +0200, Simon Josefsson wrote: >> Quoting: >> >> Description: The hash of the TLS server's end entity certificate >> [RFC5280] as it appears, octet for octet, in the server's Certificate >> message (note that the Certificate message contains a >> certificate_list, the first element of which is the server's end >> entity certificate.) >> >> I suggest replacing "server's end entity certificate" with "server's >> certificate". As far as I understand, it is possibly to use non-EE >> certs, e.g. proxy certs, as a server certificate. The RFC 5246 >> terminology is to say "sender's certificate" and there is no requirement >> to use a EE cert. > > OK. The thing to emphasize is that we're talking about the first cert > in the certificate_list that would be sent by the server. > > (I say "would be" just to be mindful of the TLS client caching > extensions, but I don't think the I-D has to say "would" since the > certificate_list will always have been sent at one point or another.) > > So how about: > > Description: The hash of the TLS server's certificate [RFC5280] as it > appears, octet for octet, in the server's Certificate message (note > that the Certificate message contains a certificate_list, the first > element of which is the server's certificate.) The hash function ... Looks fine to me. >> Quoting: >> >> agility. The algorithm to be used, however, is derived from the >> certificate itself: use SHA-256 if the certificate uses MD5 or SHA-1, >> else use whatever hash function the certificate uses. This >> >> Please say "is signed with" instead of "uses". Hash values may be >> present for other purposes in a certificate, but signature fields will >> typically only use one hash function. > > The text you quote is security considerations text; the normative text > already says exactly what you ask for. But OK: > > ... The algorithm to be used, however, is derived from the > certificate's signature as described in Section 4.1; to recap: use > SHA-256 if the certificate signature algorithm uses MD5 or SHA-1, > else use whatever hash function the certificate uses. There were two uses of "uses" in the sentence, and the second is still present, but at least this is better than before. > Now, section 4.1 says "if the certificate's signature hash algorithm is > ...". But perhaps it should say "if the hash algorithm used in the > certificate's signatureAlgorithm is ...", just to be really accurate and > avoid any possible confusion (with, say, the algorithm field of > SubjectPublicKeyInfo). Yes? The more precise the better, although SubjectPublicKeyInfo generally do not imply any particular hash function. But for new implementers, it is easy to go wrong if the text is not specific. /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7INI5TT025824 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 18 Aug 2009 16:18:05 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n7INI5RS025823; Tue, 18 Aug 2009 16:18:05 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7INHqD9025813 for <ietf-sasl@imc.org>; Tue, 18 Aug 2009 16:18:01 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id n7INHp1x009249 for <ietf-sasl@imc.org>; Tue, 18 Aug 2009 23:17:51 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id n7INHpxw039394 for <ietf-sasl@imc.org>; Tue, 18 Aug 2009 17:17:51 -0600 (MDT) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n7IMxbUN003790; Tue, 18 Aug 2009 17:59:37 -0500 (CDT) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n7IMxYwu003789; Tue, 18 Aug 2009 17:59:34 -0500 (CDT) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Tue, 18 Aug 2009 17:59:34 -0500 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Simon Josefsson <simon@josefsson.org> Cc: ietf-sasl@imc.org, tls@ietf.org Subject: Re: "Last call" on draft-altman-tls-channel-bindings-05.txt Message-ID: <20090818225934.GW1043@Sun.COM> References: <20090818213427.GU1043@Sun.COM> <87ljlgbv2a.fsf@mocca.josefsson.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87ljlgbv2a.fsf@mocca.josefsson.org> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Wed, Aug 19, 2009 at 12:45:17AM +0200, Simon Josefsson wrote: > Quoting: > > Description: The hash of the TLS server's end entity certificate > [RFC5280] as it appears, octet for octet, in the server's Certificate > message (note that the Certificate message contains a > certificate_list, the first element of which is the server's end > entity certificate.) > > I suggest replacing "server's end entity certificate" with "server's > certificate". As far as I understand, it is possibly to use non-EE > certs, e.g. proxy certs, as a server certificate. The RFC 5246 > terminology is to say "sender's certificate" and there is no requirement > to use a EE cert. OK. The thing to emphasize is that we're talking about the first cert in the certificate_list that would be sent by the server. (I say "would be" just to be mindful of the TLS client caching extensions, but I don't think the I-D has to say "would" since the certificate_list will always have been sent at one point or another.) So how about: Description: The hash of the TLS server's certificate [RFC5280] as it appears, octet for octet, in the server's Certificate message (note that the Certificate message contains a certificate_list, the first element of which is the server's certificate.) The hash function ... > Quoting: > > agility. The algorithm to be used, however, is derived from the > certificate itself: use SHA-256 if the certificate uses MD5 or SHA-1, > else use whatever hash function the certificate uses. This > > Please say "is signed with" instead of "uses". Hash values may be > present for other purposes in a certificate, but signature fields will > typically only use one hash function. The text you quote is security considerations text; the normative text already says exactly what you ask for. But OK: ... The algorithm to be used, however, is derived from the certificate's signature as described in Section 4.1; to recap: use SHA-256 if the certificate signature algorithm uses MD5 or SHA-1, else use whatever hash function the certificate uses. Now, section 4.1 says "if the certificate's signature hash algorithm is ...". But perhaps it should say "if the hash algorithm used in the certificate's signatureAlgorithm is ...", just to be really accurate and avoid any possible confusion (with, say, the algorithm field of SubjectPublicKeyInfo). Yes? > For completeness, I would add: > > This algorithm agility resolution mechanism assumes that there is a > mapping from every Public-key signature algorithm to one hash > function algorithm. This is the case for all practically used public > key signature algorithms today, but if future public-key signature > algorithms would employ multiple hash functions (or none at all) this > specification needs to be updated to resolve which hash function > should be used. Good point. Thanks! Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7IMjsmQ023777 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 18 Aug 2009 15:45:54 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n7IMjsgl023776; Tue, 18 Aug 2009 15:45:54 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7IMjju3023744 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Tue, 18 Aug 2009 15:45:53 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (c80-216-31-183.bredband.comhem.se [80.216.31.183]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5) with ESMTP id n7IMjHA8001016 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 19 Aug 2009 00:45:19 +0200 From: Simon Josefsson <simon@josefsson.org> To: Nicolas Williams <Nicolas.Williams@sun.com> Cc: ietf-sasl@imc.org, tls@ietf.org Subject: Re: "Last call" on draft-altman-tls-channel-bindings-05.txt References: <20090818213427.GU1043@Sun.COM> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:090818:ietf-sasl@imc.org::phGjYQ2dCe/ST4ZG:27Ek X-Hashcash: 1:22:090818:nicolas.williams@sun.com::Sp9lVljf2yG9TozZ:1dgY X-Hashcash: 1:22:090818:tls@ietf.org::HHy/gYRdIGhZPWU0:AZ1D Date: Wed, 19 Aug 2009 00:45:17 +0200 In-Reply-To: <20090818213427.GU1043@Sun.COM> (Nicolas Williams's message of "Tue, 18 Aug 2009 16:34:28 -0500") Message-ID: <87ljlgbv2a.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-1.0 required=5.0 tests=AWL,BAYES_00, DATE_IN_FUTURE_96_XX,RDNS_DYNAMIC,SPF_FAIL autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on yxa-v.extundo.com X-Virus-Scanned: clamav-milter 0.95.2 at yxa-v X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Quoting: Description: The hash of the TLS server's end entity certificate [RFC5280] as it appears, octet for octet, in the server's Certificate message (note that the Certificate message contains a certificate_list, the first element of which is the server's end entity certificate.) I suggest replacing "server's end entity certificate" with "server's certificate". As far as I understand, it is possibly to use non-EE certs, e.g. proxy certs, as a server certificate. The RFC 5246 terminology is to say "sender's certificate" and there is no requirement to use a EE cert. Quoting: agility. The algorithm to be used, however, is derived from the certificate itself: use SHA-256 if the certificate uses MD5 or SHA-1, else use whatever hash function the certificate uses. This Please say "is signed with" instead of "uses". Hash values may be present for other purposes in a certificate, but signature fields will typically only use one hash function. For completeness, I would add: This algorithm agility resolution mechanism assumes that there is a mapping from every Public-key signature algorithm to one hash function algorithm. This is the case for all practically used public key signature algorithms today, but if future public-key signature algorithms would employ multiple hash functions (or none at all) this specification needs to be updated to resolve which hash function should be used. Nits: note (that is, the first such note in the descritption is a new ^ /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7ILqpMd020436 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 18 Aug 2009 14:52:51 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n7ILqpe3020435; Tue, 18 Aug 2009 14:52:51 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from brmea-mail-1.sun.com (brmea-mail-1.Sun.COM [192.18.98.31]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7ILqik2020422 for <ietf-sasl@imc.org>; Tue, 18 Aug 2009 14:52:51 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-01.central.sun.com ([129.147.62.4]) by brmea-mail-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id n7ILqhR2020925 for <ietf-sasl@imc.org>; Tue, 18 Aug 2009 21:52:44 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id n7ILqhjn055505 for <ietf-sasl@imc.org>; Tue, 18 Aug 2009 15:52:43 -0600 (MDT) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n7ILYUbQ003684; Tue, 18 Aug 2009 16:34:30 -0500 (CDT) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n7ILYSfi003683; Tue, 18 Aug 2009 16:34:28 -0500 (CDT) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Tue, 18 Aug 2009 16:34:28 -0500 From: Nicolas Williams <Nicolas.Williams@sun.com> To: ietf-sasl@imc.org, tls@ietf.org Subject: "Last call" on draft-altman-tls-channel-bindings-05.txt Message-ID: <20090818213427.GU1043@Sun.COM> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Per RFC5056, three channel binding types for TLS have been registered in the IANA channel binding type registry. Recently we've decided that we actually need a Standards-Track RFC to define these channel binding types so as to make it easier to make normative reference to them. Therefore we've revived and updated draft-altman-tls-channel-bindings to include the text of those three channel binding type registrations, as well as to update introductory and security considerations text. We seek comments on draft-altman-tls-channel-bindings-05. In two weeks we'll request that an AD shepherd this individual submission. We seek Proposed Standard status for the resulting RFC. Consider this a pseudo-WGLC. Please review and comment. Thanks, Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7HEHShF001938 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 17 Aug 2009 07:17:28 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n7HEHS98001937; Mon, 17 Aug 2009 07:17:28 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7HEHEpU001912 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Mon, 17 Aug 2009 07:17:25 -0700 (MST) (envelope-from Pasi.Eronen@nokia.com) Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-mx03.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id n7HBOAPR032448; Mon, 17 Aug 2009 14:24:18 +0300 Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 17 Aug 2009 14:24:14 +0300 Received: from smtp.mgd.nokia.com ([65.54.30.5]) by esebh102.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 17 Aug 2009 14:24:13 +0300 Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.86]) by nok-am1mhub-01.mgdnok.nokia.com ([65.54.30.5]) with mapi; Mon, 17 Aug 2009 13:24:12 +0200 From: <Pasi.Eronen@nokia.com> To: <Kurt@OpenLDAP.org>, <jhutz@cmu.edu> CC: <simon@josefsson.org>, <rfc-editor@rfc-editor.org>, <tim.polk@nist.gov>, <tlyu@mit.edu>, <alexey.melnikov@isode.com>, <ietf-sasl@imc.org> Date: Mon, 17 Aug 2009 13:24:11 +0200 Subject: RE: [Editorial Errata Reported] RFC4013 (1812) Thread-Topic: [Editorial Errata Reported] RFC4013 (1812) Thread-Index: AcoLNYPxIHHYWOv2TjCf7rf5U7F7aAT9zWyA Message-ID: <808FD6E27AD4884E94820BC333B2DB773A72E2883E@NOK-EUMSG-01.mgdnok.nokia.com> References: <200907182012.n6IKCnhM012626@boreas.isi.edu> <8763dka8b1.fsf@mocca.josefsson.org> <4273FB5691FFB40568367C4E@atlantis.pc.cs.cmu.edu> <E1013707-4A2F-4425-8DBD-4D74BAACEE58@OpenLDAP.org> In-Reply-To: <E1013707-4A2F-4425-8DBD-4D74BAACEE58@OpenLDAP.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 17 Aug 2009 11:24:13.0406 (UTC) FILETIME=[3F92DFE0:01CA1F2D] X-Nokia-AV: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Hmm.. it looks like there are Unicode characters that are in the "prohibited output" list, but will get changed to another, allowed characters during the "Map" or "Normalize" steps.=20 Since "Prohibit" step is done after Map and Normalize, these characters can actually appear in the input, right? (and this would=20 not be an error) (For example, it looks like U+0340 is prohibited by Table C.8, but will get normalized to U+0300, which is allowed.) So actually should the errata be something like this? OLD: This profile specifies the following characters as prohibited input: = =20 NEW: This profile specifies the following characters as prohibited output: Discussion: Per RFC 3454, the check for prohibited characters is done after the "Map" and "Normalize" steps. Characters listed here are actually allowed as inputs if they get removed by the=20 "Map" or "Normalize" steps. Best regards, Pasi > -----Original Message----- > From: ext Kurt Zeilenga [mailto:Kurt@OpenLDAP.org] > Sent: 23 July, 2009 04:32 > To: Jeffrey Hutzelman > Cc: Simon Josefsson; RFC Errata System; tim.polk@nist.gov; Eronen Pasi > (Nokia-NRC/Helsinki); tlyu@mit.edu; alexey.melnikov@isode.com; ietf- > sasl@imc.org > Subject: Re: [Editorial Errata Reported] RFC4013 (1812) >=20 >=20 > On Jul 22, 2009, at 1:44 PM, Jeffrey Hutzelman wrote: >=20 > > There is, however, an error -- the first sentence of this section > > does in fact claim to be specifying prohibited input characters. > > The correct fix is to that text, not to the section title. >=20 >=20 > I support the following errata: >=20 > OLD: > prohibited input: >=20 > NEW > prohibited: >=20 >=20 > Discussion: > Per RFC 3454, if a prohibited character appears in the input, an error > must result. That is, the prohibited characters cannot appear in the > output. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7HEGKV6001773 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 17 Aug 2009 07:16:20 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n7HEGKIC001772; Mon, 17 Aug 2009 07:16:20 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7HEG4V7001733 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Mon, 17 Aug 2009 07:16:15 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (c80-216-31-183.bredband.comhem.se [80.216.31.183]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5) with ESMTP id n7HCojw1021951 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 17 Aug 2009 14:50:48 +0200 From: Simon Josefsson <simon@josefsson.org> To: <Pasi.Eronen@nokia.com> Cc: <Kurt@OpenLDAP.org>, <jhutz@cmu.edu>, <rfc-editor@rfc-editor.org>, <tim.polk@nist.gov>, <tlyu@mit.edu>, <alexey.melnikov@isode.com>, <ietf-sasl@imc.org> Subject: Re: [Editorial Errata Reported] RFC4013 (1812) References: <200907182012.n6IKCnhM012626@boreas.isi.edu> <8763dka8b1.fsf@mocca.josefsson.org> <4273FB5691FFB40568367C4E@atlantis.pc.cs.cmu.edu> <E1013707-4A2F-4425-8DBD-4D74BAACEE58@OpenLDAP.org> <808FD6E27AD4884E94820BC333B2DB773A72E2883E@NOK-EUMSG-01.mgdnok.nokia.com> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:090817:alexey.melnikov@isode.com::QUR2ujEjhRMxq4hw:Dd0 X-Hashcash: 1:22:090817:ietf-sasl@imc.org::0KDVMz+1hNIY3rJD:3T4O X-Hashcash: 1:22:090817:tlyu@mit.edu::AxNNR3r3N9B02bIG:Buq/ X-Hashcash: 1:22:090817:rfc-editor@rfc-editor.org::xDvmvveunHAOh6C8:6h03 X-Hashcash: 1:22:090817:kurt@openldap.org::vP2Wfi462nR6YEEP:EjJ3 X-Hashcash: 1:22:090817:tim.polk@nist.gov::iJmMGbeqjiU8PHeW:FkTr X-Hashcash: 1:22:090817:jhutz@cmu.edu::L+R/9p3V89mLIwdu:NBaa X-Hashcash: 1:22:090817:pasi.eronen@nokia.com::OIYkot2tJDZfzrVz:OWJn Date: Mon, 17 Aug 2009 14:50:45 +0200 In-Reply-To: <808FD6E27AD4884E94820BC333B2DB773A72E2883E@NOK-EUMSG-01.mgdnok.nokia.com> (Pasi Eronen's message of "Mon, 17 Aug 2009 13:24:11 +0200") Message-ID: <874os6li3e.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-1.0 required=5.0 tests=AWL,BAYES_00, DATE_IN_FUTURE_96_XX,RDNS_DYNAMIC,SPF_FAIL autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on yxa-v.extundo.com X-Virus-Scanned: clamav-milter 0.95.2 at yxa-v X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> I think your fix is better. RFC 3454 talks about prohibiting code points in the output. It doesn't say anything about prohibiting code points in inputs, since the algorithm doesn't work like that. I don't think the intention of RFC 4013 was to change the ordering of RFC 3454 algorithm steps, so treating it as a typo in RFC 4013 appears appropriate to me. /Simon <Pasi.Eronen@nokia.com> writes: > Hmm.. it looks like there are Unicode characters that are in the > "prohibited output" list, but will get changed to another, allowed > characters during the "Map" or "Normalize" steps. > > Since "Prohibit" step is done after Map and Normalize, these > characters can actually appear in the input, right? (and this would > not be an error) > > (For example, it looks like U+0340 is prohibited by Table C.8, but > will get normalized to U+0300, which is allowed.) > > So actually should the errata be something like this? > > OLD: > This profile specifies the following characters as prohibited input: > NEW: > This profile specifies the following characters as prohibited output: > > Discussion: Per RFC 3454, the check for prohibited characters > is done after the "Map" and "Normalize" steps. Characters listed > here are actually allowed as inputs if they get removed by the > "Map" or "Normalize" steps. > > Best regards, > Pasi > >> -----Original Message----- >> From: ext Kurt Zeilenga [mailto:Kurt@OpenLDAP.org] >> Sent: 23 July, 2009 04:32 >> To: Jeffrey Hutzelman >> Cc: Simon Josefsson; RFC Errata System; tim.polk@nist.gov; Eronen Pasi >> (Nokia-NRC/Helsinki); tlyu@mit.edu; alexey.melnikov@isode.com; ietf- >> sasl@imc.org >> Subject: Re: [Editorial Errata Reported] RFC4013 (1812) >> >> >> On Jul 22, 2009, at 1:44 PM, Jeffrey Hutzelman wrote: >> >> > There is, however, an error -- the first sentence of this section >> > does in fact claim to be specifying prohibited input characters. >> > The correct fix is to that text, not to the section title. >> >> >> I support the following errata: >> >> OLD: >> prohibited input: >> >> NEW >> prohibited: >> >> >> Discussion: >> Per RFC 3454, if a prohibited character appears in the input, an error >> must result. That is, the prohibited characters cannot appear in the >> output. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7CE8TbB007799 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 12 Aug 2009 07:08:29 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n7CE8TD2007798; Wed, 12 Aug 2009 07:08:29 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7CE8Ju3007775 for <ietf-sasl@imc.org>; Wed, 12 Aug 2009 07:08:28 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [192.168.1.124] ((unknown) [62.3.217.253]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SoLMzwB9YT29@rufus.isode.com>; Wed, 12 Aug 2009 15:08:17 +0100 X-SMTP-Protocol-Errors: NORDNS Message-ID: <4A82CCCB.2070406@isode.com> Date: Wed, 12 Aug 2009 15:08:11 +0100 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Dave Cridland <dave@cridland.net> CC: Peter Saint-Andre <stpeter@stpeter.im>, ietf-sasl@imc.org Subject: Re: WG Last Call: draft-ietf-sasl-scram-02 References: <ldvbpnouhy3.fsf@cathode-dark-space.mit.edu> <4A807C89.7@stpeter.im> <8048.1249935609.418434@puncture> In-Reply-To: <8048.1249935609.418434@puncture> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Dave Cridland wrote: > On Mon Aug 10 21:01:13 2009, Peter Saint-Andre wrote: > >> Instead of requiring the application of SASLprep, I would prefer >> wording >> such as this: >> >> Before sending the username to the server, the client MUST >> ensure that the username is formatted such that the "SASLPrep" >> profile [RFC4013] of the "stringprep" algorithm [RFC3454] can be >> applied to it without failing. > > Although initially, my thought was this wasn't needed, I wondered > about the consequences. > > It seems to me that, unless we assume that both client and server > will always have precisely the same concept of "SASLprep", then one > would assume the server would always have to apply SASLprep anyway. > > SASLprep is, also bound to change - either gradual changes in Unicode > will cause problems sufficient to case a rewrite, or we'll change > SASLprep itself to be a property-based, instead of table-based, > mechanism, and the gradual changes will filter through to > implementations. > > I'm inclined, therefore, to suggest that not only is this text > reasonable, but the "MUST" can probably be reduced to a SHOULD. I can live with the SHOULD. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7AKKF6T030609 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 10 Aug 2009 13:20:15 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n7AKKFp1030608; Mon, 10 Aug 2009 13:20:15 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from peirce.dave.cridland.net (peirce.dave.cridland.net [217.155.137.61]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7AKKDMp030600 for <ietf-sasl@imc.org>; Mon, 10 Aug 2009 13:20:14 -0700 (MST) (envelope-from dave@cridland.net) Received: from puncture ((unknown) [217.155.137.60]) by peirce.dave.cridland.net (submission) via TCP with ESMTPA id <SoCA-QAqP7wt@peirce.dave.cridland.net>; Mon, 10 Aug 2009 21:20:10 +0100 X-SMTP-Protocol-Errors: NORDNS Subject: Re: WG Last Call: draft-ietf-sasl-scram-02 References: <ldvbpnouhy3.fsf@cathode-dark-space.mit.edu> <4A807C89.7@stpeter.im> In-Reply-To: <4A807C89.7@stpeter.im> MIME-Version: 1.0 Message-Id: <8048.1249935609.418434@puncture> Date: Mon, 10 Aug 2009 21:20:09 +0100 From: Dave Cridland <dave@cridland.net> To: Peter Saint-Andre <stpeter@stpeter.im>, <ietf-sasl@imc.org>, Tom Yu <tlyu@MIT.EDU> Content-Type: text/plain; delsp="yes"; charset="us-ascii"; format="flowed" Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Mon Aug 10 21:01:13 2009, Peter Saint-Andre wrote: > Instead of requiring the application of SASLprep, I would prefer > wording > such as this: > > Before sending the username to the server, the client MUST > ensure that the username is formatted such that the "SASLPrep" > profile [RFC4013] of the "stringprep" algorithm [RFC3454] can be > applied to it without failing. > > Although initially, my thought was this wasn't needed, I wondered about the consequences. It seems to me that, unless we assume that both client and server will always have precisely the same concept of "SASLprep", then one would assume the server would always have to apply SASLprep anyway. SASLprep is, also bound to change - either gradual changes in Unicode will cause problems sufficient to case a rewrite, or we'll change SASLprep itself to be a property-based, instead of table-based, mechanism, and the gradual changes will filter through to implementations. I'm inclined, therefore, to suggest that not only is this text reasonable, but the "MUST" can probably be reduced to a SHOULD. Dave. -- Dave Cridland - mailto:dave@cridland.net - xmpp:dwd@dave.cridland.net - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/ - http://dave.cridland.net/ Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7AK1QBH029289 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 10 Aug 2009 13:01:26 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n7AK1QkN029288; Mon, 10 Aug 2009 13:01:26 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from stpeter.im (stpeter.im [207.210.219.233]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7AK1H85029268 for <ietf-sasl@imc.org>; Mon, 10 Aug 2009 13:01:25 -0700 (MST) (envelope-from stpeter@stpeter.im) Received: from dhcp-64-101-72-211.cisco.com (dhcp-64-101-72-211.cisco.com [64.101.72.211]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 1286F4007B; Mon, 10 Aug 2009 14:01:14 -0600 (MDT) Message-ID: <4A807C89.7@stpeter.im> Date: Mon, 10 Aug 2009 14:01:13 -0600 From: Peter Saint-Andre <stpeter@stpeter.im> User-Agent: Thunderbird 2.0.0.22 (Macintosh/20090605) MIME-Version: 1.0 To: Tom Yu <tlyu@MIT.EDU> CC: ietf-sasl@imc.org Subject: Re: WG Last Call: draft-ietf-sasl-scram-02 References: <ldvbpnouhy3.fsf@cathode-dark-space.mit.edu> In-Reply-To: <ldvbpnouhy3.fsf@cathode-dark-space.mit.edu> X-Enigmail-Version: 0.96.0 OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/13/09 8:17 PM, Tom Yu wrote: > This message commences a WG Last Call on the following Internet-Draft: > > Title : Salted Challenge Response (SCRAM) SASL Mechanism Although the WGLC is officially over, I have a question about the use of SASLprep. The SCRAM I-D (draft-ietf-sasl-scram-04) says the following: Before sending the username to the server, the client MUST prepare the username using the "SASLPrep" profile [RFC4013] of the "stringprep" algorithm [RFC3454]. In XMPP, we have traditionally used a different stringprep profile ("nodeprep") to prepare usernames. As far as I can see, nodeprep is more strict than SASLprep. Therefore, any username which is prepared according to nodeprep would be safe according to SASLprep. Instead of requiring the application of SASLprep, I would prefer wording such as this: Before sending the username to the server, the client MUST ensure that the username is formatted such that the "SASLPrep" profile [RFC4013] of the "stringprep" algorithm [RFC3454] can be applied to it without failing. (We have similar wording in RFC 3920 and in rfc3920bis.) Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqAfIkACgkQNL8k5A2w/vwYrwCZATJzn3RcK+Cjs996FnIIr7El 3pwAnR95RzWJWcp6TDv91Er44bNOVa5m =9AOc -----END PGP SIGNATURE----- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n74FU8YM092124 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 4 Aug 2009 08:30:08 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n74FU8bJ092123; Tue, 4 Aug 2009 08:30:08 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from mail.ietf.org (mail.ietf.org [64.170.98.32]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n74FU8kW092116 for <ietf-sasl@imc.org>; Tue, 4 Aug 2009 08:30:08 -0700 (MST) (envelope-from root@core3.amsl.com) Received: by core3.amsl.com (Postfix, from userid 0) id 294E828C41C; Tue, 4 Aug 2009 08:30:01 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Cc: ietf-sasl@imc.org Subject: I-D Action:draft-ietf-sasl-gs2-16.txt Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20090804153002.294E828C41C@core3.amsl.com> Date: Tue, 4 Aug 2009 08:30:02 -0700 (PDT) Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Simple Authentication and Security Layer Working Group of the IETF. Title : Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family Author(s) : S. Josefsson, N. Williams Filename : draft-ietf-sasl-gs2-16.txt Pages : 24 Date : 2009-08-04 This document describes how to use a Generic Security Service Application Program Interface (GSS-API) mechanism in the the Simple Authentication and Security Layer (SASL) framework. This is done by defining a new SASL mechanism family, called GS2. This mechanism family offers a number of improvements over the previous "SASL/ GSSAPI" mechanism: it is more general, uses fewer messages for the authentication phase in some cases, and supports negotiable use of channel binding. Only GSS-API mechanisms that support channel binding are supported. See <http://josefsson.org/sasl-gs2-*/> for more information. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-sasl-gs2-16.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-sasl-gs2-16.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-08-04082404.I-D@ietf.org> --NextPart-- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7389J44056591 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 3 Aug 2009 01:09:19 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n7389JRt056590; Mon, 3 Aug 2009 01:09:19 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n7389BA1056565 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Mon, 3 Aug 2009 01:09:18 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (c80-216-31-183.bredband.comhem.se [80.216.31.183]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5) with ESMTP id n73897aW008267 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 3 Aug 2009 10:09:09 +0200 From: Simon Josefsson <simon@josefsson.org> To: Peter Saint-Andre <stpeter@stpeter.im> Cc: Alexey Melnikov <alexey.melnikov@isode.com>, ietf-sasl@imc.org Subject: Re: WG Last Call: draft-ietf-sasl-scram-02 References: <ldvbpnouhy3.fsf@cathode-dark-space.mit.edu> <4A703964.3090203@stpeter.im> <4A71D97F.10202@stpeter.im> <4A71DEA0.7020700@isode.com> <877hxqow3d.fsf@mocca.josefsson.org> <4A737AE8.7010108@stpeter.im> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:090803:stpeter@stpeter.im::L+9Cnl5J8u9dPdNA:HfsI X-Hashcash: 1:22:090803:ietf-sasl@imc.org::6hqONuEvHgQDSskp:KzSw X-Hashcash: 1:22:090803:alexey.melnikov@isode.com::SR+1xVA9HZmrMgS0:J3hj Date: Mon, 03 Aug 2009 10:09:07 +0200 In-Reply-To: <4A737AE8.7010108@stpeter.im> (Peter Saint-Andre's message of "Fri, 31 Jul 2009 19:14:48 -0400") Message-ID: <87prbdiajg.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.96 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-0.8 required=5.0 tests=AWL,BAYES_00, DATE_IN_FUTURE_96_XX,RDNS_DYNAMIC,SPF_FAIL autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on yxa-v.extundo.com X-Virus-Scanned: clamav-milter 0.95.2 at yxa-v X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Peter Saint-Andre <stpeter@stpeter.im> writes: > On 7/30/09 2:37 PM, Simon Josefsson wrote: >> Alexey Melnikov <alexey.melnikov@isode.com> writes: >> >>> Peter Saint-Andre wrote: >>> >>>>> SECTION 4 >>>>> >>>>> Typo: "hashed function" => "hash function" >>>>> >>>>> I think the following text is slightly ambiguous: >>>>> >>>>> The "-PLUS" suffix is used only when the server supports channel >>>>> binding to the external channel. In this case the server will >>>>> advertise both, SCRAM-SHA-1 and SCRAM-SHA-1-PLUS, otherwise the >>>>> server will advertise only SCRAM-SHA-1. The "-PLUS" exists to allow >>>>> negotiation of the use of channel binding. See Section 6. >>>>> >>>>> This could be read to mean that if a server does not support channel >>>>> bindings, then it will advertise only all and only SCRAM-SHA-1 (but >>>>> never, say, SCRAM-SHA-256). I think we mean that if a server does not >>>>> support channel bindings, then it will advertise only mechanisms of the >>>>> form SCRAM-SHA-length and never mechanisms of the form >>>>> SCRAM-SHA-length-PLUS (thus not forbidding support for hash functions >>>>> other than SHA-1). >>>>> >>>>> >>>> Alexey and I talked about this in Stockholm. I suggest the following text: >>>> >>>> The "-PLUS" suffix is used only when the server supports channel >>>> binding to the external channel. If the server supports channel >>>> binding, it will advertise both the "bare" and "plus" versions of >>>> whatever mechanisms it supports (e.g., if the server supports only >>>> SCRAM with SHA-1 then it will advertise support for both SCRAM-SHA-1 >>>> and SCRAM-SHA-1-PLUS); if the server does not support channel >>>> binding, then it will advertise only the "bare" version of the >>>> mechanism (e.g., only SCRAM-SHA-1). The "-PLUS" exists to allow >>>> negotiation of the use of channel binding. See Section 6. >>>> >>>> >>> Ok, this text will be in -04. >> >> Please reassure me that the same change isn't needed in GS2? I don't >> see any normative words above, and as far as I can tell the described >> behaviour is already covered by other text in both SCRAM and GS2 anyway. > > Do you think that the former text was not ambiguous? No, I think your version is definitely better, but I couldn't find matching text in GS2 to change. I _think_ your clarification is already covered by what's in GS2 today, including for example this text: <t>Servers SHOULD advertise both non-PLUS and the PLUS-variant of each GS2 mechanism name. If the server cannot support channel binding, it MAY advertise only the non-PLUS variant. If the server would never succeed authentication of the non-PLUS variant due to policy reasons, it MAY advertise only the PLUS-variant.</t> It doesn't use the same words although I believe the intention is the same. /Simon
- "Last call" on draft-altman-tls-channel-bindings-… Nicolas Williams
- Re: "Last call" on draft-altman-tls-channel-bindi… Simon Josefsson
- Re: "Last call" on draft-altman-tls-channel-bindi… Nicolas Williams
- Re: "Last call" on draft-altman-tls-channel-bindi… Simon Josefsson
- Re: "Last call" on draft-altman-tls-channel-bindi… Nicolas Williams
- Re: "Last call" on draft-altman-tls-channel-bindi… Nicolas Williams
- Re: "Last call" on draft-altman-tls-channel-bindi… Simon Josefsson
- Re: [TLS] "Last call" on draft-altman-tls-channel… Nicolas Williams
- Re: [TLS] "Last call" on draft-altman-tls-channel… Nicolas Williams
- Re: [sasl] [TLS] "Last call" on draft-altman-tls-… Jeffrey Hutzelman
- Re: [sasl] "Last call" on draft-altman-tls-channe… Peter Saint-Andre
- Re: [sasl] "Last call" on draft-altman-tls-channe… Nicolas Williams
- Re: [sasl] "Last call" on draft-altman-tls-channe… Nicolas Williams