ietf-sasl

[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: Poll: use of TLS channel bindings in SCRAM Jeffrey Hutzelman Fri May 29 16:00:32 2009
--On Friday, May 29, 2009 05:05:40 PM -0500 Nicolas Williams <[EMAIL PROTECTED]> wrote: 


On Fri, May 29, 2009 at 06:02:39PM -0400, Jeffrey Hutzelman wrote:

--On Friday, May 29, 2009 02:47:39 PM -0700 Kurt Zeilenga
<[EMAIL PROTECTED]> wrote:
> I am a bit concerned that that current proposal might preclude certain
> negotiation strategies from consideration as they would be difficult to
> retrofit in.   In particular, I am concerned that the current proposal
> might preclude purely in-the-mechanism-exchange negotiation of channel
> binding types.

You mean, a strategy in which each mechanism is responsible for managing
negotiation of channel binding types, and we don't get to do that
negotiation until after we've selected a mechanism?


That's not quite my interpretation of what Kurt wants.  Kurt is not
being terribly clear.  His primary goal is clearly to allow for YAP and
its dependence on unique channel binding types.


It does preclude it for GS2/SCRAM, short of modifying the mechanism, but
I


No, it doesn't -- I think you misinterpreted Kurt's comment.
It precludes a multi-level model in which on-the-wire negotiation of channel binding types is done within the mechanism's protocol elements, and the client does not find out what channel binding types the server is willing to support until the client has already committed to a mechanism.
It does not preclude a model in which the set of supported channel binding types depends on which mechanism is used, or alternately in which the set of mechanisms available depends on which channel binding type is to be used, provided that such information is made available before the client commits to a GS2 mechanism. 

-- Jeff