Skip to content

Feature Request: channel binding info #1

Open
Open
Feature Request: channel binding info#1
@vanrein

Description

@vanrein
vanrein
opened on May 30, 2019

You currently send JSON messages such as

{
   "s2c" : "alk12asdasdASDasda123=="
}

but it would be nice to have one layer extra, making very clear that data originates from HTTP,

{
   "http" : {
      "s2c" : "alk12asdasdASDasda123=="
   }
}

This enables extra information to be carried over from the browser. Specifically useful would be the following additional information to enable standardised channel binding information:

{
   "http" : { ... },
   "channel-binding" : [
      { "tls-server-end-point" : "...tls-server-certificate..." }
   ]
}

Note that an array is used, so it is possible to add new Channel Binding mechanisms. Browsers have no standard for it yet, but the tls-unique mechanism is much stronger than the one shown here, tls-server-end-point, which is often available. The tls-unique mechanism is specific for one TLS session (it incorporates a unique bit from the TLS handhake) whereas tls-server-end-point merely distributes the server certificate, making it only distinguish between servers' certificates. Both forms of Channel Binding add value, however, in making it more difficult to steal a SASL exchange and reuse/abuse it elsewhere; think of rogue clients acting as a proxy to get in.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions