[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)

From: Simon Josefsson <simon at josefsson.org>
To: Larry Zhu <larry.zhu at microsoft.com>
Cc: "channel-binding at ietf.org" <channel-binding at ietf.org>, "tls at ietf.org" <tls at ietf.org>, "sasl at ietf.org" <sasl at ietf.org>
Date: Wed, 28 Oct 2009 15:24:09 +0100
In-reply-to: <87ocnrpq0f.fsf at mocca.josefsson.org> (Simon Josefsson's message of "Wed, 28 Oct 2009 15:11:28 +0100")
References: <20091005162704.8C1B43A6873 at core3.amsl.com> <D3DC9D45B39CFC4CB312B2DD279B354C29BAE0E5 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <87ocnrpq0f.fsf at mocca.josefsson.org>

Simon Josefsson <simon at josefsson.org> writes:

> http://josefsson.org/sasl-gs2/draft-josefsson-sasl-tls-cb-02.txt
>
> It makes sure to bind the channel binding uniquely to BOTH the current
> connection and the current session.  The
> draft-altman-tls-channel-bindings-07 document only binds to the current
> TLS connection.  So from this perspective, my work has the same issue,
> but it is different in other aspects.

This reminded me of an earlier observation, and it might be relevant to
re-iterate it here.  Consider this:

Day 1:

1. Client establish TLS anon-anon to server.
2. User authenticates using SCRAM with channel binding to the TLS
   channel
3. User/client disconnects

Day 2:

4. Client resumes the TLS anon-anon connection
5. Client rehandshake with X.509 client + server authentication
6. User authenticates using SCRAM with channel binding to the
   TLS channel
7. User/client disconnects

Day 3:

7. Client resumes the TLS session
8. Client rehandshake it as anon-anon
9. User authenticates using SCRAM with channel binding to the
   TLS channel
10. User/client disconnects

With draft-altman-tls-channel-bindings-07, the channel binding data used
in all three SCRAM authentications is the same bit sequence.  That means
there is only an indirect cryptographic binding between the SCRAM user
authentication and the X.509 client authentication.

/Simon

Follow-Ups:
- Re: [sasl] [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
  - From: Pasi.Eronen

References:
- [sasl] Last Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard
  - From: The IESG
- Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
  - From: Larry Zhu
- Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
  - From: Simon Josefsson

Prev by Date: Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
Next by Date: Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
Previous by thread: Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
Next by thread: Re: [sasl] [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.