Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
Simon Josefsson wrote:
> This reminded me of an earlier observation, and it might be relevant
> to re-iterate it here. Consider this:
>
> Day 1:
>
> 1. Client establish TLS anon-anon to server.
> 2. User authenticates using SCRAM with channel binding to the TLS
> channel
> 3. User/client disconnects
>
> Day 2:
>
> 4. Client resumes the TLS anon-anon connection
> 5. Client rehandshake with X.509 client + server authentication
> 6. User authenticates using SCRAM with channel binding to the
> TLS channel
> 7. User/client disconnects
>
> Day 3:
>
> 7. Client resumes the TLS session
> 8. Client rehandshake it as anon-anon
> 9. User authenticates using SCRAM with channel binding to the
> TLS channel
> 10. User/client disconnects
>
> With draft-altman-tls-channel-bindings-07, the channel binding data
> used in all three SCRAM authentications is the same bit sequence.
That certainly was not the intent (the Finished messages used by
SCRAM would be from steps 1, 4, and 7 -- and they're all different).
Can you check if the latest text proposals (Nico's email on
October 30th, starting "I spoke at length with Larry", and
my email earlier today) make the situation clearer?
Best regards,
Pasi
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
