[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Poll: use of TLS channel bindings in SCRAM

To: Alexey Melnikov <alexey.melnikov@xxxxxxxxx>
Subject: Re: Poll: use of TLS channel bindings in SCRAM
From: Kurt Zeilenga <Kurt.Zeilenga@xxxxxxxxx>
Date: Sun, 7 Jun 2009 05:12:20 -0700
Cc: SASL WG <ietf-sasl@xxxxxxx>
In-reply-to: <4A1F06CF.80505@xxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <4A1F06CF.80505@xxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx

After some additional thought and consideration, I change mypreference to:


4a (just change the text to require tls-unique)

5 (adds some words that additional text that channel bind type agilityis provided via mechanism name).

I have decided not to support providing any channeling binding"downgrade" protection in the mechanism. This because I believe themechanism downgrade mechanism is sufficient to protect against attacksI think would be likely, and the suggested approaches not necessarilysufficient to cover attacks that might eventual come. For instance,if we were to not only have a channel binding type negotiationfacility (such as what Jeffrey proposed) but a Security Labelnegotiation facility, and maybe a hash algorithm negotiation facility,or maybe a combined "mechanism property" negotiation facility, I wouldwant that negotiation facility to provide a downgrade protection. Offhand, I cannot think of how to deal with downgrade now withoutdiscussing the particulars of the negotiation facility, so I ratherdefer this (and just hope we have enough extension capability in GS2/SCRAM) to deal with such).


-- Kurt

On May 28, 2009, at 2:49 PM, Alexey Melnikov wrote:

I've discussed channel bindings with Nico in jabber and we agreedthat we need to get WG consensus on how TLS channel bindings shouldbe used with SCRAM.Please provide an orded list of alternatives you find acceptablefrom the choices listed below. (Please restrict discussions ofvariants of these choices at the moment. I will do another poll onsuch choices later, depending on the outcome of this poll. Also,please read notes for the choices before answering). Please answerthe poll by the end of June 7th.
1). SCRAM should just use a single allowed TLS channel binding anddon't have any negotiation of other TLS channel bindings (*) (**)
a). the default is tls-unique
b). the default is tls-server-end-point
2). SCRAM should just use tls-server-end-point, fallback to tls-unique, no negotiation of other TLS channel bindings (*)
3). SCRAM should always use channel binding negotiation (*)
4). SCRAM should have a default TLS channel binding with optionalnegotiation of TLS channel bindings (*)
a). the default is tls-unique
b). the default is
5). I have another opinion [this is for the case when there is somevalid choice which you think should be considered by the WG]
Notes:
(*) - whether such negotiation happens inside or outside of SCRAM
(**) - channel binding negotiation can be added later on

Follow-Ups:
- Re: Poll: use of TLS channel bindings in SCRAM
  - From: Sam Hartman

References:
- Poll: use of TLS channel bindings in SCRAM
  - From: Alexey Melnikov

Prev by Date: Re: Poll: use of TLS channel bindings in SCRAM
Next by Date: Re: Poll: use of TLS channel bindings in SCRAM
Previous by thread: Re: Poll: use of TLS channel bindings in SCRAM
Next by thread: Re: Poll: use of TLS channel bindings in SCRAM
Index(es):
- Date
- Thread