Re: [TLS] [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)

To: Pasi.Eronen at nokia.com
Subject: Re: [TLS] [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Wed, 4 Nov 2009 11:55:37 -0600
Cc: simon at josefsson.org, channel-binding at ietf.org, sasl at ietf.org, tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <808FD6E27AD4884E94820BC333B2DB774E7F7C5641 at NOK-EUMSG-01.mgdnok.nokia.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <20091005162704.8C1B43A6873 at core3.amsl.com> <D3DC9D45B39CFC4CB312B2DD279B354C29BAE0E5 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <87ocnrpq0f.fsf at mocca.josefsson.org> <87hbtjppfa.fsf at mocca.josefsson.org> <808FD6E27AD4884E94820BC333B2DB774E7F7C5641 at NOK-EUMSG-01.mgdnok.nokia.com>
User-agent: Mutt/1.5.7i

On Wed, Nov 04, 2009 at 03:34:38PM +0100, Pasi.Eronen at nokia.com wrote:
> Simon Josefsson wrote:
> > This reminded me of an earlier observation, and it might be relevant
> > to re-iterate it here.  Consider this:
> > 
> > Day 1:
> > 
> > 1. Client establish TLS anon-anon to server.
> > 2. User authenticates using SCRAM with channel binding to the TLS
> >    channel
> > 3. User/client disconnects
> > 
> > Day 2:
> > 
> > 4. Client resumes the TLS anon-anon connection
> > 5. Client rehandshake with X.509 client + server authentication
> > 6. User authenticates using SCRAM with channel binding to the
> >    TLS channel
> > 7. User/client disconnects
> > 
> > Day 3:
> > 
> > 7. Client resumes the TLS session
> > 8. Client rehandshake it as anon-anon
> > 9. User authenticates using SCRAM with channel binding to the
> >    TLS channel
> > 10. User/client disconnects
> > 
> > With draft-altman-tls-channel-bindings-07, the channel binding data
> > used in all three SCRAM authentications is the same bit sequence.
> 
> That certainly was not the intent (the Finished messages used by
> SCRAM would be from steps 1, 4, and 7 -- and they're all different).

Indeed, that's absolutely not the intent.  The intent is that you use
the first client Finished message sent on each of those "connections".

Note, incidentally, that Simon's view of how tls-unique was intended to
work, would not be flawed, cryptographically.  It wouldn't interoperate
with other implementations, and it'd be hard to implement (since it
means updating saved session state).  It would conflict the very name of
the channel binding type and it's description as being a "unique"
channel binding type in the RFC5056 sense -- that should be the biggest
clue that Simon's interpretation is incorrect.

I have a very, very hard time understanding how this might not by now be
clear.  It doesn't help that TLS doesn't have a name for the entity from
which we're extracting the channel binding, but that's the only real
problem here.

I also have a very, very hard time understanding how the previous text
could have led anyone to think that TCP connection state should track
TLS channel binding data.  RFC5246 may not have a name for the entity...
but it does speak of "TLS connections", which you can see from the
naming of section 6.1: "Connection States".

Nonetheless I'm happy to revise text to make this matter clearer.  I'd
be happy even to introduce text naming that entity which RFC5246 does
not name.

Nico
--

References:
- [TLS] Last Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard
  - From: The IESG
- Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
  - From: Larry Zhu
- Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
  - From: Simon Josefsson
- Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
  - From: Simon Josefsson
- Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
  - From: Pasi.Eronen

Prev by Date: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
Next by Date: Re: [TLS] [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Previous by thread: Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
Next by thread: Re: [TLS] [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
Index(es):
- Date
- Thread

Re: [TLS] [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.