[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

A note about channel bindings

To: ietf-sasl@xxxxxxx
Subject: A note about channel bindings
From: Nicolas Williams <Nicolas.Williams@xxxxxxx>
Date: Sun, 4 Dec 2005 14:58:09 -0600
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Mail-followup-to: ietf-sasl@imc.org
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Mutt/1.5.7i

Sam points out that in SASL what we want out of channel binindings is to
affect the negotiation of security layers.  If a channel being bound to
provides integrity and confidentiality protection then the application
won't want to use a SASL mechanism's own security layers -- it's a
waste.

In the GSS-API world there's no security layers -- just per-message
tokens, and which to use, if any, is entirely up to the application, but
in the SASL world SASL is involved in the negotiation of post-
establishment session protection.

It may be that the best thing to do for SASL/GS2 channel bindings is
that the first wrap token should include the channel bindings, if any,
and security layers preferences for the cases that the binding succeeds
and for when it fails, and the second wrap token should indicate binding
success/failure and cause security layer selection accordingly.

Nico
--

Follow-Ups:
- Re: A note about channel bindings
  - From: Simon Josefsson

Prev by Date: Re: rfc2222bis: authenticatin ID vs. credentials
Next by Date: draft minutes of IETF64 SASL session
Previous by thread: rfc2222bis: authenticatin ID vs. credentials
Next by thread: Re: A note about channel bindings
Index(es):
- Date
- Thread