«
»

RFC 5056 Published

!

I wrote about the challenge of securing high-performance connections in NFS. One of the technologies that will be important to making that working is channel binding. You perform some application layer authentication and then bind it to a high performance cryptographic channel at a lower layer. The framework document describing how channel binding works has been published.

The document describes channel binding as a concept and gives requirements for how to use lower level cryptographic channels such as IPsec. The document doesn’t define specific details of any given channel but does outline what would need to be done. Work is on going in the BTNS working group of the IETF to specify this for IPsec.

The document goes on to discuss how applications can use these channels. The SASL working group has defined a binding for GSS-API binding that supports channel binding. That has been a good validation of the design.
We will also work on using this in NFS, which should continue to validate the approach.
I’m very excited at the progress we’ve made with this concept.

This entry was posted on Tuesday, November 20th, 2007 at 5:02 pm by hartmans and is filed under Kerberos, Standards. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

One Response to “RFC 5056 Published”

  1. Painless Security » Blog Archive » Ietf 70 in Vancouver Says:
    December 12th, 2007 at 11:49 am

    [...] SASL working group is focusing on a new password mechanism designed to provide authentication and channel binding. We ran into two challenges. The first is that channel binding data may sometimes require [...]