[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Updated SASL And Channel Binding document (-03)
On Tue, May 26, 2009 at 10:59:40PM +0100, Alexey Melnikov wrote:
> In the effort of getting SCRAM published sooner, I am not going to argue
> this point for much longer.
Well, I think we need to resolve the issue, one way or another, before
SCRAM can progress. See also my follow-up with subject line "Request
for consensus call on channel binding type negotiation".
> Nicolas Williams wrote:
> >On Tue, May 26, 2009 at 09:44:13PM +0200, Simon Josefsson wrote:
> >>My preference is also the unique channel binding.
> For the record - so is mine.
It used to be mine as well. Microsoft engineers and Chris Newman
changed my mind on that (see below).
> >It won't work when using TLS concentrators. Therefore a preference for
> >tls-unique bindings is a recipe for non-interoperability.
> I am not convinced that is going to be the case. When answering this
> question people are assuming that TLS concentrator case is going to be
> more or less widespread that the case of TLS-used-without-X.509.
Seriously? I've not used many non-web services that use TLS outside of
corporate environments, and in those the norm is to use a server cert.
Moreover, when the deployer doesn't know how to find and follow proper
procedures to obtain a suitable server certificate, the deployer almost
always uses a self-signed cert rather than configure the service to not
use x.509 at all. Of course, in the case of self-signed certs there's
not likely to be any concentrators, but in the other cases I've
certainly seen concentrators. Sun's internal IMAP service, for example,
uses TLS concentrators, and it uses server certs.
> >Therefore I reject it.
> You might end up being in the rough part of the consensus.
> If you have some numbers that can persuade people that your TLS
> concentrator case is more widespread than TLS-used-without-X.509, then
> you might be able to change my mind. But so far I am not convinced.
I use services where TLS concentrators are used.
Also, Chris Newman supports a messaging product which is designed to
separate TLS (and, separately, SASL) from other parts of the
implementation. Treating such implementations as equivalent to using
concentrators is the simplest way to add support for channel binding,
and IIRC Chris has stated that that's his preferred approach.
Microsoft engineers too felt that support for environments where TLS
concentrators are used was crucial.