[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [CHANNEL-BINDING] TLS endpoint channel bindings in SCRAM
- To: Nicolas Williams <Nicolas.Williams@xxxxxxx>
- Subject: Re: [CHANNEL-BINDING] TLS endpoint channel bindings in SCRAM
- From: Simon Josefsson <simon@xxxxxxxxxxxxx>
- Date: Thu, 02 Apr 2009 10:27:18 +0200
- Cc: Dave Cridland <dave@xxxxxxxxxxxx>, Mark Novak <Mark.Novak@xxxxxxxxxxxxx>, channel-binding@xxxxxxxx, Stefan Santesson <stefans@xxxxxxxxxxxxx>, Larry Zhu <lzhu@xxxxxxxxxxxxxxxxxxxxx>, ietf-sasl@xxxxxxx, Paul Leach <paulle@xxxxxxxxxxxxxxxxxxxxx>, Kevin Damour <kdamour@xxxxxxxxxxxxx>, Jeffrey Altman <jaltman@xxxxxxxxxxxxxxxxxxxx>, Sam Hartman <hartmans-ietf@xxxxxxx>
- In-reply-to: <20090401225220.GA1500@xxxxxxx> (Nicolas Williams's message of "Wed, 1 Apr 2009 17:52:20 -0500")
- List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
- List-id: <ietf-sasl.imc.org>
- List-unsubscribe: <mailto:email@example.com?body=unsubscribe>
- Openpgp: id=B565716F; url=http://josefsson.org/key.txt
- References: <5690.1237934257.266964@xxxxxxxxxxxxxxxxxxxxxxxx> <20090401225220.GA1500@xxxxxxx>
- Sender: owner-ietf-sasl@xxxxxxxxxxxx
- User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.90 (gnu/linux)
Nicolas Williams <Nicolas.Williams@xxxxxxx> writes:
>> Finally, I'd propose that SCRAM mandates support for the
>> 'tls-x509-end-point' channel binding for the applicable cases as a
>> reasonable fallback when support for the more flexible and
>> future-proof tls-server-end-point binding is not available.
>> Now I'll wait to get shot down in flames. :-)
> No flames. I think we could do a channel binding type just for SCRAM
> (we did one just for TELNET, after all). But I think I'd want "DER" in
> the name, that and the hash function name too.
I don't think that will work -- TLS isn't just X.509. TLS supports
OpenPGP server certs. Generally, TLS can support other forms of server
I don't want to see SCRAM require use of X.509 server certificates if we
can avoid it.
It seems simple to avoid that here: just request the necessary features
from TLS stacks. If we don't do that now, we likely won't do it next
time we need a channel binding for some application protocol, and then
TLS interfaces will never have this feature. Nico volunteered to help
with this for OpenSSL, and I can volunteer to do it for GnuTLS. We knew
from the start that channel bindings would require changes to TLS
stacks. The major native C libraries have already been adapted, I
believe, so what remains are any language bindings. That seems like
Just A Simple Matter Of Programming.
The alternative is to make channel binding type negotiable, something I
recall discussing at lengths earlier. Nothing came out of that, so RFC
5056 does not support any negotiation. I'm not sure how well it would
work to add that feature for SCRAM? But it could be explored.