Re: [secdir] [xmpp] SecDir review of draft-ietf-xmpp-3920bis-17

Kurt Zeilenga <> Wed, 03 November 2010 21:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 666E23A688D; Wed, 3 Nov 2010 14:03:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.374
X-Spam-Status: No, score=-102.374 tagged_above=-999 required=5 tests=[AWL=0.225, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HAlsPV3b8SUt; Wed, 3 Nov 2010 14:03:41 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3F6EF3A66B4; Wed, 3 Nov 2010 14:03:41 -0700 (PDT)
Received: from [] ( []) by (submission channel) via TCP with ESMTPSA id <>; Wed, 3 Nov 2010 21:03:47 +0000
From: Kurt Zeilenga <>
In-Reply-To: <>
Date: Wed, 03 Nov 2010 14:03:42 -0700
Message-Id: <>
References: <> <> <> <> <2761.1288645043.347835@puncture> <> <> <> <> <706C109C-A2D2-4E17-B5AA-6B881F7E0334@Isode.COM> <> <60F15D22-C2F2-47F7-8BC1-4442B764EDFA@Isode.COM> <> <44FB1E43-1F0F-4652-B6FF-D437B6C53DE7@Isode.COM> <> <03C37501-30DB-4C80-8358-DD853EF59F1A@Isode.COM> <> <F7E7C266-C802-4487-8A0F-DE930EBB2098@Isode.COM> <> <>
To: Matthew Wild <>
X-Mailer: Apple Mail (2.1081)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Cc: Security Area Directorate <>, "" <>, XMPP Working Group <>, The IESG <>, Peter Saint-Andre <>
Subject: Re: [secdir] [xmpp] SecDir review of draft-ietf-xmpp-3920bis-17
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Nov 2010 21:03:42 -0000

On Nov 3, 2010, at 11:10 AM, Matthew Wild wrote:

> On 3 November 2010 17:31, Peter Saint-Andre <> wrote:
>>      as described under Section (however, the lack of channel
>>      binding in the PLAIN mechanism implies that even authenticated TLS
>>      cannot fully protect the SASL negotiation and subsequent
>>      communications when PLAIN is used).
> I'm no expert on this, but is this text technically true? I thought
> channel binding would only be beneficial where there is not full TLS
> authentication.

Channel binding is beneficial regardless of whether there the client performed TLS server cert/subject checks.  Note that the server has no clue what checks, if any, the client (or its user) performed.  With channel bindings, it becomes irrelevant to the server whether the client performed these checks or not.  That is, (amongst other things) channel bindings provide a means for the server itself to protect against MITM attacks.

I do agree, however, that he wording of the however comment is confusing and seems should either be removed or replaced.

My main concern is that Unauthenticated TLS is subject to downgrade to PLAIN by two vectors, spoofing mechanisms and spoofing transition required.

Removing <transition-needed/> (in favor of a yet to be specified extension) addresses one vector.

There seems no good way to address the other vector at this time.  I do suggest however that the 13.9.4 text:
   To help prevent this attack, the parties
   SHOULD protect the channel using TLS before attempting SASL
be replaced with:
   To mitigate this attack, the partied SHOULD protect the channel using TLS before attempting SASL negotiation and either
   perform full certificate validation as described in Section or utilize a mechanism which provides channel bindings,
   such as SCRAM-SHA-1-PLUS. 

-- Kurt