[Security] channel bindings

Winfried Tilanus winfried at tilanus.com
Wed Feb 11 04:32:13 CST 2009


On 02/10/2009 11:52 PM, Kurt Zeilenga wrote:

Hi,

> Here is a really brief explanation of what channel bindings are
> about.

Thank you Kurt for this correction of my wrong assumptions. I am still
trying to understand what it really does, so I will keep asking dumb
questions and will keep making comments that need correction. I hope you
(and the others) don't mind.

> The IETF is developing mechanisms such as SASL/SCRAM that providing
> channeling bind support.  When used, the client can confirm that the
> SCRAM end-point and the TLS end-point its talking to are in-fact the
> same end-point.  Likewise, the server can confirm the SCRAM and TLS
> end-points its talking to are in-fact the same.

Can somebody please be a bit more specific on what avenues of attack are
closed by knowing that the SCRAM and the TLS end-points are the same. My
common-sense says that at best you might know they are both connected to
the same MITM.

Or to state my question in another way: what openings does channel
binding provide for XMPP? Does it enable server authentication without
server certificates? Does it enable us to do e2e security without the
hassle of certificates or exchanging secrets? Or does it enable e2e
security when only one of the endpoints has a certificate?

thanks for helping me in understanding this thing,

Winfried

-- 
http://www.tilanus.com
xmpp:winfried at jabber.xs4all.nl
tel. 015-3613996 / 06-23303960
fax. 015-3614406


More information about the Security mailing list