[Security] channel bindings
dave at cridland.net
Thu Feb 12 06:38:20 CST 2009
On Wed Feb 11 15:06:44 2009, Eric Rescorla wrote:
> It's worth observing that if you're really going to standardize on
> news password
> based mechanism, it would be more efficient to simply use TLS-PSK or
> TLS-SRP. The
> rationale for channel bindings is to retain some existing
> application level auth
I suspect that disagreeing with Ekr isn't going to be good for my
I'm not sure SRP or PSK makes as much sense to us, from a
deployment/marketing perspective mostly, although with some weak
technical arguments too.
The idea is that the channel binding is actually used one-time to
verify self-signed certificates, which are subsequently used as-is
for authentication. Essentially, we're slightly repurposing the
techology - it's about getting the same outcome as when a SASL
mechanism does it on a TLS-protected C2S link, still, but in a
So you'd use the channel binding process typically once per pair of
endpoints, whereas the self-signed certificates would be used many
times - indeed, I'm thinking that the XMPP basis for secure identity
becomes those X.509 certificates.
So it's not so much to retain the existing application level
infrastructure, but to provide a common authentication infrastructure
between many cases, proven by channel binding.
It was my impression that although we could achieve something similar
using SRP or PSK:
a) The perceived risk of IPR is such that SRP in particular appears
to have reduced deployment, and I have concerns that it'd impact
b) It's done inline in the data flow, meaning that traditional data
flows need to cease during it.
c) We hope to use SCRAM as a C2S authentication mechanism in SASL
anyway, so we're expecting support to become commonplace.
d) I'm frankly not sure I've grasped how the SRP/PSK-to-X.509 dance
works, and at the risk of sounding really arrogant, I'm worried that
might mean few people within the XMPP community grasp it either.
Is there anything I'm missing that rules out using a channel binding
method for proving the endpoints own a particular certificate?
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Security