Re: [secdir] Secdir review of draft-hollenbeck-rfc4930bis-02
Sandra Murphy <sandy@sparta.com> Wed, 15 July 2009 15:13 UTC
Return-Path: <Sandra.Murphy@cobham.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 173A23A6EA3; Wed, 15 Jul 2009 08:13:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.512
X-Spam-Level:
X-Spam-Status: No, score=-2.512 tagged_above=-999 required=5 tests=[AWL=0.087, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AxsUqiBfh6ab; Wed, 15 Jul 2009 08:13:26 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by core3.amsl.com (Postfix) with ESMTP id B82423A6C86; Wed, 15 Jul 2009 08:13:26 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id n6FFDUQZ022408; Wed, 15 Jul 2009 10:13:30 -0500
Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id n6FFDUO0002712; Wed, 15 Jul 2009 10:13:30 -0500
Received: from SANDYM-LT.columbia.ads.sparta.com ([157.185.81.126]) by nemo.columbia.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Wed, 15 Jul 2009 11:13:29 -0400
Date: Wed, 15 Jul 2009 11:13:29 -0400
From: Sandra Murphy <sandy@sparta.com>
To: "Hollenbeck, Scott" <shollenbeck@verisign.com>
In-Reply-To: <046F43A8D79C794FA4733814869CDF07025CD275@dul1wnexmb01.vcorp.ad.vrsn.com>
Message-ID: <Pine.WNT.4.64.0907151110550.4872@SANDYM-LT.columbia.ads.sparta.com>
References: <046F43A8D79C794FA4733814869CDF07025CD275@dul1wnexmb01.vcorp.ad.vrsn.com>
X-X-Sender: sandy@nemo.columbia.sparta.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-OriginalArrivalTime: 15 Jul 2009 15:13:29.0749 (UTC) FILETIME=[CF5C7C50:01CA055E]
Cc: secdir@ietf.org, iesg@ietf.org
Subject: Re: [secdir] Secdir review of draft-hollenbeck-rfc4930bis-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2009 15:13:28 -0000
(I sent multiple secdir related messages yesterday that were mangled or failed to deliver to the secdir and iesg lists. You could see an example in Scott's reply to one of the mangled messages. Here is the unmangled message, to keep us all in sync. My apologies to the recipients who are seeing this again.) >By Transport ID, I would assume the identifer(s) associated with the >transport level authentication key. >For EPP ID I would assume whatever identification is associated with >an EPP instance. In EPP, you do a simple login with user name and password: login Bob bobscleartextpassword The other end checks the password and says "Great to see you, Bob!" Underneath you have a stronger authentication system running. This is based on some transport id, like the ip addr/protocol/port or whatever id the secure transport uses. Lets say the transport id is ip addr, say 10.1.0.0 at the end doing the login authentication. A secure authenticated transport connection is established between 10.1.0.0 to the other end where the login is being attempted, say 10.2.0.0. The trouble is that that 10.2.0.0 might be a man in the middle. The MITM has another secure authenticated transport connection to Bob's host, 10.3.0.0. Bob sends the "login Bob bobscleartextpassword" over its secure transport connection, which ends at the MITM at 10.2.0.0. The MITM retransmits the "login Bob bobscleartextpassword" over the secure transport connection to 10.1.0.0, impersonating Bob. This is possible because there is no tie between the EPP ID of "Bob" and the secure transport id of 10.2.0.0. The tie is what is called channel binding. You can look at RFC5056 for more information or at http://www.saunalahti.fi/~asokan/research/mitm.html for another discussion with a rather detailed example for PEAP. It might be worth pointing out that draft-ietf-sasl-gs2-14 talks about Using GSS-API Mechanisms in SASL, and supports channel binding. --Sandy
- [secdir] Secdir review of draft-hollenbeck-rfc493… Catherine Meadows
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Hollenbeck, Scott
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Catherine Meadows
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Hollenbeck, Scott
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Sandra Murphy
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Sandra Murphy
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Sandra Murphy
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Alexey Melnikov
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Hollenbeck, Scott
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Nicolas Williams
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Nicolas Williams
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Hollenbeck, Scott
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Hollenbeck, Scott