[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TLS endpoint channel bindings in SCRAM

To: Dave Cridland <dave@xxxxxxxxxxxx>
Subject: Re: TLS endpoint channel bindings in SCRAM
From: Nicolas Williams <Nicolas.Williams@xxxxxxx>
Date: Thu, 2 Apr 2009 16:40:44 -0500
Cc: ietf-sasl@xxxxxxx
In-reply-to: <20090402162123.GS1500@xxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <5690.1237934257.266964@xxxxxxxxxxxxxxxxxxxxxxxx> <20090402162123.GS1500@xxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Mutt/1.5.7i

On Thu, Apr 02, 2009 at 11:21:23AM -0500, Nicolas Williams wrote:
> Simon points out that TLS supports non-PKIX certificates.

Actually, that's true, but the way RFC5081 adds support for OpenPGP
certs happens to not work with tls-server-end-point bindings because
there's no certificate_list field in the Certificate message when
OpenPGP certs are negotiated.  It would not be difficult to change
tls-server-end-point to cover the use of OpenPGP certs.

Aside: if I read RFC5081 correctly it seems that you can't negotiate the
use of OpenPGP certs for user certs but not for server certs, and vice
versa.  Odd!

Follow-Ups:
- Re: TLS endpoint channel bindings in SCRAM
  - From: Simon Josefsson

References:
- TLS endpoint channel bindings in SCRAM
  - From: Dave Cridland
- Re: TLS endpoint channel bindings in SCRAM
  - From: Nicolas Williams

Prev by Date: Re: A minor problem with SCRAM-HMAC-SHA-1-PLUS mechanism name
Next by Date: Re: TLS endpoint channel bindings in SCRAM
Previous by thread: Re: TLS endpoint channel bindings in SCRAM
Next by thread: Re: TLS endpoint channel bindings in SCRAM
Index(es):
- Date
- Thread