Greg Hudson wrote:
On Mon, 2007-12-10 at 10:20 -0800, Justin Karneges wrote:
I don't understand this talk about the SASL negotiation being attacked by a
MITM when it is taking place over TLS. There is brief mention of Bob
possibly not having a certificate or Alice not trusting Bob's CA. Does this
mean the channel binding problem only affects anonymous/unauthenticated TLS?
It strengthens your security properties in cases where you trust your
SASL authentication mechanism more than you trust the TLS authentication
mechanism.
I would rephrase this to say: if authentication of the client to the
server happens in a different layer from authentication of the server to
the client, then channel bindings are needed.
If you trust TLS to authenticate the server to the client, then I
believe you can do client-to-server authentication without any form of
channel binding and you're fine.
Yes, mutual authentication at TLS layer + SASL EXTERNAL don't need any
channel bindings.
