On Fri, May 29, 2009 at 09:21:27AM +0200, Simon Josefsson wrote:
Nicolas Williams <Nicolas.Williams@xxxxxxx> writes:
Note that there's no reference to tls-server-end-point in the above
proposal. And notice that the server knows what channel binding
type
the client chose.
That would work, but I'm not sure it is required. I don't see what
advantage that gives over the current situation of not sending the
channel binding type and specifying that tls-unique (or
tls-server-end-point) should be used?
First, we do send the channel binding type _now_, just not on the
"outside" (from the GSS-API perspective), where we actually need it.
The reason we need the channel binding type on the "outside" is this:
suppose we've added channel binding type negotiation and a server
supports multiple channel binding types, then how is the server to
know
which channel binding type the client chose? One answer would be:
through the name of the mechanism that the client chose -- but this
gets
us into the N*M mechanism name registration issue. A better answer is
to just put the channel binding type in the GS2 header, then the
server
can just inspect that.
The sum total changes to SCRAM/GS2 would be:
- New text to describe the default channel binding type agreement
process.
- New text and ABNF to describe the new GS2 header field.
Comments?
For the negotiation, I prefer the scheme with explicit channel
binding
type negotiation in the mechanism name:
SCRAM-SHA-1 (no channel binding)
SCRAM-SHA-1-TLS-UNIQUE
SCRAM-SHA-1-TLS-SERVER-END-POINT
I will not agree to that. I've already explained that an N*M
mechanism
name registration problem is unacceptable. I can't imagine why you'd
find it acceptable. Perhaps you think that M will never exceed 2?