Re: [TLS] SAS extension?

[Peter Saint-Andre <stpeter at stpeter.im>]

The more I read about SAS, the more I wonder about applicability, too.

In the XMPP community we have worked on a technology for end-to-end 
encryption of messaging sessions (a.k.a. encryption sessions, see [1]), 
and it has a SAS feature, but it's not clear to me if that feature is 
well-specified with regard to the channel in which the SAS could be 
communicated (we can't use the XMPP channel, because we're trying to 
bootstrap that channel). In any case we have now begun investigating 
more seriously the use TLS for end-to-end encryption of XMPP traffic, 
both in the link-local case and over the typical XMPP client-server 
architecture (see [2], [3], and [4]). Those developers who have 
implemented the encrypted sessions technology think its SAS feature is 
nifty and would like to have that feature in the TLS-based technology as 
well. But as you say, the SAS would need to be communicated at least via 
a different channel and preferably via a trustworthy channel. Developers 
seem to think that communicating it via PSTN is sufficient, but doing so 
would mean only that an attacker would need to control two channels, not 
that the second channel is trustworthy. So we need to research what 
might function as a trustworthy channel (e.g., encrypted email).

Whether Aunt Tillie would even check the SAS (or any other credential) 
properly is another matter, but that's a separate topic...

Peter

[1] http://www.xmpp.org/extensions/xep-0116.html
[2] http://www.xmpp.org/extensions/xep-0246.html
[3] http://www.xmpp.org/extensions/xep-0174.html
[4] http://www.xmpp.org/extensions/xep-0247.html


Eric Rescorla wrote:
> As Pasi says, this is quite doable technically, but I
> wonder about applicability.
>
> SAS-type systems only work well if you have a trustworthy channel to
> use to communicate the short authenticator. What did you have in mind
> using for that channel?
>
> -Ekr
>
>
> At Wed, 30 Jul 2008 21:39:52 +0300,
> <Pasi.Eronen at nokia.com> wrote:
> > There have been some earlier efforts, but AFAIK they're
> > not actively worked on:
> >
> > http://tools.ietf.org/html/draft-fischl-sipping-media-dtls-01
> > (Section 8.5)
> >
> > https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-mcgrew-tls-sas.txt
> >
> > You might want to contact the authors of those drafts
> > to discuss more (well, many of them are probably subscribed
> > to this mailing list, too :).
> >
> > Best regards,
> > Pasi
> >
> > > -----Original Message-----
> > > From: Peter Saint-Andre
> > > Sent: 29 July, 2008 23:20
> > > To: tls at ietf.org
> > > Subject: [TLS] SAS extension?
> > >
> > > In the XMPP community we are defining a way to use TLS for end-to-end 
> > > encryption. We'd love to use short authentication strings (SAS) for 
> > > identity verification. As far as I can see no one has worked on a TLS 
> > > extension for SAS. Is there interest in doing so? I'd be 
> > > happy to help write an I-D on this topic, but I'm not a TLS or 
> > > security expert so it might not be appropriate for me to lead the 
> > > effort.
> > >
> > > Thanks!
> > >
> > > Peter
> > >
> > > --
> > > Peter Saint-Andre
> > > https://stpeter.im/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls