headers
Sam Hartman | 30 Apr 2012 21:36
Picon
Favicon

draft-ietf-emu-chbind and username


Steve Hanna did a secdir review of draft-ietf-emu-chbind.  One of the
issues he raised is a privacy concern with section 8.  He points out
that we recommend using the user-name attribute in channel binding.  The
concern is that if a server checks user-name in i2 against user-name in
i1, then a NAS might be able to get an EAP server to act as an oracle
for privacy protected identities.

That is:

1) Peer identifies to NAS as  <at> example.com

2) NAS thinks peer might actually be bob <at> example.com.

3) NAS tries that in user-name.

4) If it's not bob <at> example.com  then channel binding fails.

He suggested documenting this issue.

I'd like to take a step back and ask why you'd ever want to channel-bind
user-name in the first place?  I guess the theory is that your EAP
method supports channel binding but does not have a well-defined concept
of peer ID or support identity protection/transporting method-specific
identity?

My proposal is that we stop recommending channel binding to user-name
rather than documenting the issues associated with doing so.

--Sam
(Continue reading)

Permalink | Reply |
headers
Alan DeKok | 1 May 2012 12:41
Favicon
Gravatar

Re: draft-ietf-emu-chbind and username

Sam Hartman wrote:
> I'd like to take a step back and ask why you'd ever want to channel-bind
> user-name in the first place?  I guess the theory is that your EAP
> method supports channel binding but does not have a well-defined concept
> of peer ID or support identity protection/transporting method-specific
> identity?

  I think that situation isn't widely used.

> My proposal is that we stop recommending channel binding to user-name
> rather than documenting the issues associated with doing so.

  I would document why channel binding User-Name is a bad idea.  Or, why
it's useful only in certain limited circumstances.

  Alan DeKok.
Permalink | Reply |
headers
Sam Hartman | 1 May 2012 14:24
Favicon

Re: draft-ietf-emu-chbind and username

I have no problemdocumenting why we do not do so as an example of privacy in sec cons
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Alan DeKok <aland <at> deployingradius.com> wrote:
Sam Hartman wrote:
> I'd like to take a step back and ask why you'd ever want to channel-bind
> user-name in the first place? I guess the theory is that your EAP
> method supports channel binding but does not have a well-defined concept
> of peer ID or support identity protection/transporting method-specific
> identity?

I think that situation isn't widely used.

> My proposal is that we stop recommending channel binding to user-name
> rather than documenting the issues associated with doing so.

I would document why channel binding User-Name is a bad idea. Or, why
it's useful only in certain limited circumstances.

Alan DeKok.

_______________________________________________
Emu mailing list
Emu <at> ietf.org
https://www.ietf.org/mailman/listinfo/emu
Permalink | Reply |

Gmane