[Security] channel bindings

Dave Cridland dave at cridland.net
Thu Feb 12 06:38:20 CST 2009

On Wed Feb 11 15:06:44 2009, Eric Rescorla wrote:
> It's worth observing that if you're really going to standardize on  
> one
> news  password
> based mechanism, it would be more efficient to simply use TLS-PSK or
> TLS-SRP. The
> rationale for channel bindings is to retain some existing  
> application level auth
> infrastructure.

I suspect that disagreeing with Ekr isn't going to be good for my  
health, but...

I'm not sure SRP or PSK makes as much sense to us, from a  
deployment/marketing perspective mostly, although with some weak  
technical arguments too.

The idea is that the channel binding is actually used one-time to  
verify self-signed certificates, which are subsequently used as-is  
for authentication. Essentially, we're slightly repurposing the  
techology - it's about getting the same outcome as when a SASL  
mechanism does it on a TLS-protected C2S link, still, but in a  
different sense.

So you'd use the channel binding process typically once per pair of  
endpoints, whereas the self-signed certificates would be used many  
times - indeed, I'm thinking that the XMPP basis for secure identity  
becomes those X.509 certificates.

So it's not so much to retain the existing application level  
infrastructure, but to provide a common authentication infrastructure  
between many cases, proven by channel binding.

It was my impression that although we could achieve something similar  
using SRP or PSK:

a) The perceived risk of IPR is such that SRP in particular appears  
to have reduced deployment, and I have concerns that it'd impact  

b) It's done inline in the data flow, meaning that traditional data  
flows need to cease during it.

c) We hope to use SCRAM as a C2S authentication mechanism in SASL  
anyway, so we're expecting support to become commonplace.

d) I'm frankly not sure I've grasped how the SRP/PSK-to-X.509 dance  
works, and at the risk of sounding really arrogant, I'm worried that  
might mean few people within the XMPP community grasp it either.

Is there anything I'm missing that rules out using a channel binding  
method for proving the endpoints own a particular certificate?

Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the Security mailing list