Alexey Melnikov wrote: > Greg Hudson wrote: > >> On Mon, 2007-12-10 at 10:20 -0800, Justin Karneges wrote: >> >> >>> I don't understand this talk about the SASL negotiation being >>> attacked by a MITM when it is taking place over TLS. There is brief >>> mention of Bob possibly not having a certificate or Alice not >>> trusting Bob's CA. Does this mean the channel binding problem only >>> affects anonymous/unauthenticated TLS? >>> >> It strengthens your security properties in cases where you trust your >> SASL authentication mechanism more than you trust the TLS authentication >> mechanism. >> >> > I would rephrase this to say: if authentication of the client to the > server happens in a different layer from authentication of the server to > the client, then channel bindings are needed. > >> If you trust TLS to authenticate the server to the client, then I >> believe you can do client-to-server authentication without any form of >> channel binding and you're fine. >> >> > Yes, mutual authentication at TLS layer + SASL EXTERNAL don't need any > channel bindings.
This is an interesting discussion, but I'm wondering what changes we need to make (if any) in rfc3920bis to handle this. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
