Hi Nico,
I have concerns (expressed in an earlier post to the list) about binding
the authenticators used for the data stream with authenticators used for
TCP. If I've understood the earlier discussion on this thread and the
content of RFC5056, you are suggesting that such bindings should be
supported but not required. Is that correct?
Also, I'm curious about how you would envision this working in the case
of, for example, a TCP optimization proxy where the endpoints of the TCP
connections are not the same as the endpoints of the secure data stream.
Do you think it's possible to design a channel binding solution that
supports an authorized MITM while at the same time mitigating the risk
of an unauthorized MITM without requiring the client-side application
(at least) to know whether an authorized MITM is in use?
Basically what I'm trying to wrap my head around is the question of
whether channel binding might prevent such middleware from functioning
effectively, and also whether adoption of the proposed requirement (if
it is adopted) might imply that the WG sees breaking such middleware as
desireable.
Thoughts?
--Brandon
On 08/05/2014 05:10 PM, Nico Williams wrote:
On Tue, Aug 05, 2014 at 01:44:19PM -0700, Christian Huitema wrote:
Absolutely. By the way, having hooks like the unique session-ID of TCP
Crypt is essential. It allows applications to implement a simple MITM
detection as part of an end-to-end authentication process. All
applications may not implement that, but some will. That creates lots
of uncertainty for any MITM attacker, because they now have a clear
risk of being detected.
It would be useful if the charter were to mention channel binding. It
follows from everything else in the charter that channel binding is not
only not precluded but should be possible for any WG products that
adhere to the charter. However, it wouldn't hurt to make channel
binding support a requirement. In particular it would make it easier to
avoid accidentally desiging a "session ID" that is not suitable as a
channel binding.
Yes, I did not participate in the charter discussions; the absence of CB
in the charter is my fault to some degree. But adding it would be a
very minor change with no significant costs to the WG.
Nico
--
Brandon Williams; Senior Principal Software Engineer
Emerging Products Engineering; Akamai Technologies Inc.
_______________________________________________
Tcpinc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tcpinc
