On Tuesday 11 December 2007 9:15 am, Greg Hudson wrote: > On Mon, 2007-12-10 at 10:20 -0800, Justin Karneges wrote: > > I don't understand this talk about the SASL negotiation being attacked by > > a MITM when it is taking place over TLS. There is brief mention of Bob > > possibly not having a certificate or Alice not trusting Bob's CA. Does > > this mean the channel binding problem only affects > > anonymous/unauthenticated TLS? > > It strengthens your security properties in cases where you trust your > SASL authentication mechanism more than you trust the TLS authentication > mechanism.
In that case, is it even relevant that TLS is used? If you trust SASL more than your underlying transport layer, then you negotiate your SASL security layer and be done with it. Is the idea that you should be able to bind to an underlying privacy layer if it is stronger than what SASL can provide? > If you trust TLS to authenticate the server to the client, then I > believe you can do client-to-server authentication without any form of > channel binding and you're fine. This makes sense to me. -Justin
