[jira] [Created] (KAFKA-15855) RFC 9266: Channel Bindings for TLS 1.3 support | SCRAM-SHA-*-PLUS variants

Sun, 19 Nov 2023 09:33:28 -0800 

Neustradamus created KAFKA-15855:
------------------------------------

             Summary: RFC 9266: Channel Bindings for TLS 1.3 support | 
SCRAM-SHA-*-PLUS variants
                 Key: KAFKA-15855
                 URL: https://issues.apache.org/jira/browse/KAFKA-15855
             Project: Kafka
          Issue Type: Bug
          Components: connect, core, security
            Reporter: Neustradamus


Dear Apache, and Kafka teams,

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?
- [https://datatracker.ietf.org/doc/html/rfc9266]

Little details, to know easily:
- tls-unique for TLS =< 1.2
- tls-server-end-point
- tls-exporter for TLS = 1.3

It is needed for SCRAM-SHA-*-PLUS variants.
Note: Some SCRAM-SHA are already supported.

I think that you have seen the jabber.ru MITM and Channel Binding is the 
solution:
- [https://notes.valdikss.org.ru/jabber.ru-mitm/]
- [https://snikket.org/blog/on-the-jabber-ru-mitm/]
- [https://www.devever.net/~hl/xmpp-incident]
- [https://blog.jmp.chat/b/certwatch]

IETF links:

SCRAM-SHA-1(-PLUS):
- RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and 
GSS-API Mechanisms: [https://tools.ietf.org/html/rfc5802] // July 2010
- RFC6120: Extensible Messaging and Presence Protocol (XMPP): Core: 
[https://tools.ietf.org/html/rfc6120] // March 2011

SCRAM-SHA-256(-PLUS):
- RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and 
Security Layer (SASL) Mechanisms: [https://tools.ietf.org/html/rfc7677] // 
2015-11-02
- RFC8600: Using Extensible Messaging and Presence Protocol (XMPP) for Security 
Information Exchange: [https://tools.ietf.org/html/rfc8600] // 2019-06-21: 
[https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA]

SCRAM-SHA-512(-PLUS):
- [https://tools.ietf.org/html/draft-melnikov-scram-sha-512]

SCRAM-SHA3-512(-PLUS):
- [https://tools.ietf.org/html/draft-melnikov-scram-sha3-512]

SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and 
GSS-API Mechanisms:
- [https://tools.ietf.org/html/draft-melnikov-scram-bis]

-PLUS variants:
- RFC5056: On the Use of Channel Bindings to Secure Channels: 
[https://tools.ietf.org/html/rfc5056] // November 2007
- RFC5929: Channel Bindings for TLS: [https://tools.ietf.org/html/rfc5929] // 
July 2010
- Channel-Binding Types: 
[https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml]
- RFC9266: Channel Bindings for TLS 1.3: [https://tools.ietf.org/html/rfc9266] 
// July 2022

IMAP:
- RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: 
[https://tools.ietf.org/html/rfc9051] // August 2021

LDAP:
- RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing 
Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: 
[https://tools.ietf.org/html/rfc5803] // July 2010

HTTP:
- RFC7804: Salted Challenge Response HTTP Authentication Mechanism: 
[https://tools.ietf.org/html/rfc7804] // March 2016

JMAP:
- RFC8621: The JSON Meta Application Protocol (JMAP) for Mail: 
[https://tools.ietf.org/html/rfc8621] // August 2019

2FA:
- Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: 
[https://tools.ietf.org/html/draft-ietf-kitten-scram-2fa]

Thanks in advance.

Linked to:
- [https://github.com/scram-sasl/info/issues/1]

Note: This ticket can be for other Apache projects too.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to