[TLS] charter comparisons, providing wider rationale for GSSAPI
<home_pw@msn.com> Sat, 30 December 2006 19:54 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H0kHS-00044z-4N; Sat, 30 Dec 2006 14:54:10 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H0kHQ-00044u-Ij for tls@ietf.org; Sat, 30 Dec 2006 14:54:08 -0500
Received: from bay0-omc3-s4.bay0.hotmail.com ([65.54.246.204]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H0kHP-0000fq-4n for tls@ietf.org; Sat, 30 Dec 2006 14:54:08 -0500
Received: from hotmail.com ([65.54.174.78]) by bay0-omc3-s4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Sat, 30 Dec 2006 11:54:06 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 30 Dec 2006 11:54:06 -0800
Message-ID: <BAY103-DAV6EEDF1D53D610B55BC09492C50@phx.gbl>
Received: from 69.227.152.254 by BAY103-DAV6.phx.gbl with DAV; Sat, 30 Dec 2006 19:54:04 +0000
X-Originating-IP: [69.227.152.254]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: home_pw@msn.com
To: tls@ietf.org
Date: Sat, 30 Dec 2006 11:54:18 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail desktop 8.0.1223
X-MimeOLE: Produced By Microsoft MimeOLE V8.0.1223
X-OriginalArrivalTime: 30 Dec 2006 19:54:06.0577 (UTC) FILETIME=[438C8E10:01C72C4C]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 9a2be21919e71dc6faef12b370c4ecf5
Cc:
Subject: [TLS] charter comparisons, providing wider rationale for GSSAPI
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
If I look at IETF as a whole, we have arguably deviated from the proposed http://lists.w3.org/Archives/Public/ietf-tls/1996JanMar/0001.html On the one hand we have successfully borrowed from kerberos some key management techniques, from the wireless world we borrowed a little PSK, and may yet be borrowing some more from GSS_API tokens & MISSI wrapping mechanism. We obviously borrowed from PKIX and its long line of forbears, though its "NR control" monster looms, threateningly. Politics has evidently agitated against more fundamental shifts, to the models of SRP, however, On the other hand, we experiment with EAP-TLS, where the handshake is used as a "general purpose authentication" mechanism by PPP - which is not "above the transport layer" and may exhibit "inappropriate generalization". If one contrasts EAL-TLS with the originally-proposed charter, however, it's use offers tribute to the SSL architecture! It features tuned message pipelining, connectionless fragmentation handling, custom key derivation, and more. This could all have been specified much more cleanly, within the architcture, but presumably doctrine got in the way. One cannot claim that PPP EAP is competing with the security architecture of IPSEC/ISAKMP and, despite "inappropriate" generalization of the security handshake and the ciphersuite negotiation, it is consistent with "secure IP is outside the scope...". That EAP-TLS even finds itself playing at the link layer is a bid sad, for the internet security architecture and its designers' judgments. If we step back, however, what is perhaps missing still is for GSS_API to now complete Tajer's final mission statement, and specify "SSL token exchange" as an alternative handshake-mechanism, registered using GSSAPI norms. If SSL adopts GSS-API's negotiation of opaque tokens, there could be a valuable reciprocity - where GSS-API enables other applications to use the SSL handshake as a single (negotiable) mechanism - regularizing what was done essentially in EAP-TLS. I think this would be supported the MISSI misson, too, moving use slowly towards the additional benefits of hardware assurance engineering. I don't like GSSAPI, technically; never have, personally; it always reminded me of the Nortel/X.509 authentication framework for layer-independent peer-entity "strong authentication". But, in the IETF tradition, the move I hint at would be more than technically possible; it would be politically appropriate. Just as EAP-TLS was done outside TLS WG, this work might be done similarly beyond, in a nuveau GSSAPI-related work item, if it struggles to get adopted, here. ----- Original Message ----- From: <home_pw@msn.com> To: <tls@ietf.org> Sent: Friday, December 29, 2006 6:23 PM Subject: Re: [TLS] Re: WGLC: draft-ietf-tls-srp-13 > >> (as FIPS 800-56B drafts are not available to the likes of me.) > > > I've been attempting to deconstruct what I understand NIST's position on > next generation RSA ciphersuites to be (from what I assume 800-56B to > say):- > > Based on the way 800-56A discusses the role of RSA (or other) key > transport. > > One uses DH in the users' national identity cards to agree a random > secret, which has the important property of "bi-lateral key confirmation" > implicit to the math of the DH/KEA etc. This agreement process may include > certain DH ephemerals in addition to statics, and a UKM nonce. This > process > satisfies the writer-to-reader rules. > > One may use RSA as an IK to transport to several parties the "secret" > value to > the authorized HSMs associated with one or more user (e.g. one's TPM-based > SSL CSP, > or a broadcast community of HSMs). The crypto device uses a > parameterized-KDF to > transform the value into a KEK, which unwraps the keying materials (and > mac secrets) > used in the SSL HSMs. Presumably, the KDF enforces TPM assurance controls, > preventing > key derivation when the secret is not assured to be from authorized id > cards (validated > using "tri-lateral key confirmation" using some unstated method (e.g. HSM > certs)). > > "Key confirmation" would have to be trilateral, if there is key > confirmation > by a "third party" - the community of authorized crypto devices. > > The final KDF (per connection) in SSL finished protocol takes into account > the roles > of the 2 or more SSL parties, currently hashes of the terms "client" and > "server" > > ------------ > > For fun one can extrapolate, doctrinally:- > > One can define a role for TLS Evidence, which exist to audit such > handshakes, using > a dig sig of the handshake hashes (and store the handshake plaintexts). > Presumably, the router/ISP can enforce policy to (a) interdict certain > flows (b) record > certain auditable handshake plaintexts. _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls