ietf
[Top] [All Lists]

Re: Last Call: draft-williams-on-channel-binding (On the Use of Channel Bindings to Secure Channels) to Proposed Standard

2007-04-11 11:50:01
I think this a significant I-D which could be, in a few years, be the way in
which security is done in the Internet.

But I also think it understates its achievements in the Abstract and that it may
be inaccessible to those who would use it, those who are not also security
experts.

The Abstract refers to an approach 'which has various performance benefits'.
Rather, I think that is solves a - the? - problem of Internet security, that
encryption is easy and authentication is difficult and the mantra of security is
that sound authentication must come first.  This approach offers a way out of
that impasse.

But it is not clear that this is the case.  I think that to get the benefits of
this idea the I-D should have a non-normative section showing how it can be
applied to some well understood application, using a well-understood lower
secure layer (ie TLS or SSH, not IPsec) showing the outline protocol flow and
infrastructure dependencies.

Otherwise those who would benefit from it - isms, netconf, syslog, ... ? - will
not understand what they might do.  I appreciate that something of this ilk has
been around for a while (eg as when Ira McDonald pointed the isms list at
draft-puthenkulam-eap-binding-04.txt) but I think that it got no traction
because of its impenetrability.

Tom Petch

----- Original Message -----
From: "The IESG" <iesg-secretary(_at_)ietf(_dot_)org>
To: "IETF-Announce" <ietf-announce(_at_)ietf(_dot_)org>
Sent: Wednesday, March 14, 2007 4:44 PM
Subject: Last Call: draft-williams-on-channel-binding (On the Use of Channel
Bindings to Secure Channels) to Proposed Standard


The IESG has received a request from an individual submitter to consider
the following document:

- 'On the Use of Channel Bindings to Secure Channels '
   <draft-williams-on-channel-binding-01.txt> as a Proposed Standard

   The introduction of this draft implies that the facility being
  discussed applies only to GSS-API.  That is not the case and the rest
   of the draft is clear on this point; this draft proposes to generalize
   and clarify a facility that exists today in GSS-API both for GSS-API
   use and for other authentication frameworks.

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action.  Please send substantive comments to the
ietf(_at_)ietf(_dot_)org mailing lists by 2007-04-11. Exceptionally,
comments may be sent to iesg(_at_)ietf(_dot_)org instead. In either case, 
please
retain the beginning of the Subject line to allow automated sorting.

The file can be obtained via
http://www.ietf.org/internet-drafts/draft-williams-on-channel-binding-01.txt


IESG discussion can be tracked via

https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=15078&rf
c_flag=0


_______________________________________________
IETF-Announce mailing list
IETF-Announce(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf-announce


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf