IETF Logo Mail Archive

[TLS] charter comparisons, providing wider rationale for GSSAPI

<home_pw@msn.com> Sat, 30 December 2006 19:54 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H0kHS-00044z-4N; Sat, 30 Dec 2006 14:54:10 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H0kHQ-00044u-Ij for tls@ietf.org; Sat, 30 Dec 2006 14:54:08 -0500
Received: from bay0-omc3-s4.bay0.hotmail.com ([65.54.246.204]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H0kHP-0000fq-4n for tls@ietf.org; Sat, 30 Dec 2006 14:54:08 -0500
Received: from hotmail.com ([65.54.174.78]) by bay0-omc3-s4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Sat, 30 Dec 2006 11:54:06 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 30 Dec 2006 11:54:06 -0800
Message-ID: <BAY103-DAV6EEDF1D53D610B55BC09492C50@phx.gbl>
Received: from 69.227.152.254 by BAY103-DAV6.phx.gbl with DAV; Sat, 30 Dec 2006 19:54:04 +0000
X-Originating-IP: [69.227.152.254]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: home_pw@msn.com
To: tls@ietf.org
Date: Sat, 30 Dec 2006 11:54:18 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail desktop 8.0.1223
X-MimeOLE: Produced By Microsoft MimeOLE V8.0.1223
X-OriginalArrivalTime: 30 Dec 2006 19:54:06.0577 (UTC) FILETIME=[438C8E10:01C72C4C]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 9a2be21919e71dc6faef12b370c4ecf5
Cc:
Subject: [TLS] charter comparisons, providing wider rationale for GSSAPI
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

If I look at IETF as a whole, we have arguably deviated from the proposed

http://lists.w3.org/Archives/Public/ietf-tls/1996JanMar/0001.html

On the one hand we have successfully borrowed from kerberos some
key management techniques, from the wireless world we borrowed
a little PSK, and may yet be borrowing some more from
GSS_API tokens & MISSI wrapping mechanism. We obviously borrowed
from PKIX and its long line of forbears, though its "NR control"
monster looms, threateningly. Politics has evidently agitated against
more fundamental shifts, to the models of SRP, however,

On the other hand, we experiment with EAP-TLS, where the handshake is
used as a "general purpose authentication" mechanism by PPP - which
is not "above the transport layer" and may exhibit "inappropriate
generalization". If one contrasts EAL-TLS with the originally-proposed
charter, however, it's use offers tribute to the SSL architecture! It
features tuned message pipelining, connectionless fragmentation handling,
custom key derivation, and more. This could all have been specified
much more cleanly, within the architcture, but presumably doctrine got
in the way. One cannot claim that PPP EAP is competing with the
security architecture of IPSEC/ISAKMP and, despite "inappropriate"
generalization of the security handshake and the ciphersuite negotiation, it
is consistent with "secure IP is outside the scope...". That EAP-TLS even
finds itself playing at the link layer is a bid sad, for the internet
security architecture and its designers' judgments.

If we step back, however, what is perhaps missing still is for GSS_API to
now complete Tajer's final mission statement, and specify "SSL token 
exchange"
as an alternative handshake-mechanism, registered using GSSAPI norms.

If SSL adopts GSS-API's negotiation of opaque tokens, there could
be a valuable reciprocity - where GSS-API enables other applications to
use the SSL handshake as a single (negotiable) mechanism - regularizing
what was done essentially in EAP-TLS. I think this would be supported
the MISSI misson, too, moving use slowly towards the additional
benefits of hardware assurance engineering.

I don't like GSSAPI, technically; never have, personally; it always reminded
me of the Nortel/X.509 authentication framework for layer-independent
peer-entity "strong authentication". But, in the IETF tradition, the move I
hint at would be more than technically possible; it would be politically
appropriate. Just as EAP-TLS was done outside TLS WG, this work might
be done similarly beyond, in a nuveau GSSAPI-related work item, if it
struggles to get adopted, here.

----- Original Message -----
From: <home_pw@msn.com>
To: <tls@ietf.org>
Sent: Friday, December 29, 2006 6:23 PM
Subject: Re: [TLS] Re: WGLC: draft-ietf-tls-srp-13

>
>> (as FIPS 800-56B drafts are not available to the likes of me.)
>
>
> I've been attempting to deconstruct what I understand NIST's position on
> next generation RSA ciphersuites to be (from what I assume 800-56B to 
> say):-
>
> Based on the way 800-56A discusses the role of RSA (or other) key 
> transport.
>
> One uses DH in the users' national identity cards to agree a random
> secret,  which has the important property of "bi-lateral key confirmation"
> implicit to the math of the DH/KEA etc. This agreement process may include
> certain DH ephemerals in addition to statics, and a UKM nonce. This 
> process
> satisfies the writer-to-reader rules.
>
> One may use RSA as an IK to transport to several parties the "secret" 
> value to
> the authorized HSMs associated with one or more user (e.g. one's TPM-based 
> SSL CSP,
> or a broadcast community of HSMs). The crypto device uses a 
> parameterized-KDF to
> transform the value into a KEK, which unwraps the keying materials (and 
> mac secrets)
> used in the SSL HSMs. Presumably, the KDF enforces TPM assurance controls, 
> preventing
> key derivation when the secret is not assured to be from authorized id 
> cards (validated
> using "tri-lateral key confirmation" using some unstated method (e.g. HSM 
> certs)).
>
> "Key confirmation" would have to be trilateral, if there is key 
> confirmation
> by a "third party" - the community of authorized crypto devices.
>
> The final KDF (per connection) in SSL finished protocol takes into account 
> the roles
> of the 2 or more SSL  parties, currently hashes of the terms "client" and 
> "server"
>
> ------------
>
> For fun one can extrapolate, doctrinally:-
>
> One can define a role for TLS Evidence, which exist to audit such 
> handshakes, using
> a dig sig of the handshake hashes (and store the handshake plaintexts).
> Presumably, the router/ISP can enforce policy to (a) interdict certain 
> flows (b) record
> certain auditable handshake plaintexts. 


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email