Re: GSS-API channel bindings
Nicolas Williams <Nicolas.Williams@sun.com> Thu, 29 July 2004 19:59 UTC
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6TJx2Ws097435; Thu, 29 Jul 2004 12:59:02 -0700 (PDT) (envelope-from owner-ietf-sasl@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6TJx2Jb097434; Thu, 29 Jul 2004 12:59:02 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f
Received: from nwkea-mail-1.sun.com (nwkea-mail-1.sun.com [192.18.42.13]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6TJx19A097400 for <ietf-sasl@imc.org>; Thu, 29 Jul 2004 12:59:01 -0700 (PDT) (envelope-from nw141292@binky.central.sun.com)
Received: from centralmail2brm.Central.Sun.COM ([129.147.62.14]) by nwkea-mail-1.sun.com (8.12.10/8.12.9) with ESMTP id i6TJx0J6011506 for <ietf-sasl@imc.org>; Thu, 29 Jul 2004 12:59:00 -0700 (PDT)
Received: from binky.central.sun.com (binky.Central.Sun.COM [129.153.128.104]) by centralmail2brm.Central.Sun.COM (8.12.10+Sun/8.12.10/ENSMAIL, v2.2) with ESMTP id i6TJwx4H008836 for <ietf-sasl@imc.org>; Thu, 29 Jul 2004 13:59:00 -0600 (MDT)
Received: from binky.central.sun.com (localhost [127.0.0.1]) by binky.central.sun.com (8.13.0+Sun/8.13.0) with ESMTP id i6TJuWFF003373; Thu, 29 Jul 2004 14:56:32 -0500 (CDT)
Received: (from nw141292@localhost) by binky.central.sun.com (8.13.0+Sun/8.13.0/Submit) id i6TJuWQ7003372; Thu, 29 Jul 2004 14:56:32 -0500 (CDT)
Date: Thu, 29 Jul 2004 14:56:32 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Alexey Melnikov <Alexey.Melnikov@isode.com>
Cc: Simon Josefsson <jas@extundo.com>, ietf-sasl@imc.org
Subject: Re: GSS-API channel bindings
Message-ID: <20040729195632.GB896@binky.central.sun.com>
Mail-Followup-To: Alexey Melnikov <Alexey.Melnikov@isode.com>, Simon Josefsson <jas@extundo.com>, ietf-sasl@imc.org
References: <40DC9563.4070006@isode.com> <40E1381F.4020409@isode.com> <ilufz86j3iq.fsf_-_@latte.josefsson.org> <20040715182807.GZ632478@binky.central.sun.com> <ilu1xixwaba.fsf@latte.josefsson.org> <41094E1C.2050404@isode.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <41094E1C.2050404@isode.com>
User-Agent: Mutt/1.4.1i
Sender: owner-ietf-sasl@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-ID: <ietf-sasl.imc.org>
List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
On Thu, Jul 29, 2004 at 08:21:00PM +0100, Alexey Melnikov wrote: > > Simon Josefsson wrote: > > >Do you have any thoughts on how to modify the SASL GSSAPI mechanism so > >it is possible for it to use non-NULL channel bindings automatically? > > > >The most simplistic solution is to permit non-NULL channel bindings in > >the specification, and leave everything up to application protocols. > > > >However, that approach require application protocol implementations to > >tell the SASL library what GSSAPI channel bindings it wants. While > >this is feasible, perhaps it can be made even better. > > > >What I'm trying to understand, is whether the SASL GSSAPI mechanism, > >by itself, could construct the actual channel binding, and use it at > >both ends. > > > CMU SASL API allows applications to pass IP/port number of the both > endpoints to the SASL library. It seems that this is sufficient to > construct proper channel binding information? (Just thinking aloud). No, it's not enough because there's no cryptographic binding there, direct or indirect. Throw in authenticated and "latched" IPsec IDs and you've got strong bindings. Or, if you're running over a TLS channel, throw in the TLS finished messages. Or, if you're running over an SSHv2 channel, throw in the SSHv2 session ID. > Also, if either the client or the server end uses non null channel > binding and the other end doesn't, will they be able to authenticate? With the GSS-API? Technically they shouldn't, though the krb5 mech has some warts in this area (I won't describe them here). The point is: GSS-API channel bindings are not negotiated by the GSS mechanisms, so both peers must know a priori that both have or don't have channel bindings. Thus my comments earlier about CCM-BIND and negotiation of the use of GSS mechanisms specifically designed to signal and implement the use of channel bindings. Please see draft-ietf-nfsv4-channel-bindings-02.txt. Nico --
- New revision of draft-ietf-sasl-gssapi Alexey Melnikov
- GSS-API channel bindings Simon Josefsson
- Re: GSS-API channel bindings Nicolas Williams
- Re: GSS-API channel bindings Simon Josefsson
- Re: GSS-API channel bindings Nicolas Williams
- Re: GSS-API channel bindings Alexey Melnikov
- Re: GSS-API channel bindings Nicolas Williams