Hi Watson, Exporters are a form of channel binding (in the protocol theory sense, not in the RFC 5056 sense). Two protocols that use the defined binding on a single TLS connection will derive the same Exporter. This is clearly intended to be generic, the input string is "EXPORTER-Channel-Binding" not something specific to a single protocol, so presumably more than one thing will use it.
Ideally this wouldn't be defined and anything that would have used this would just use the Exporter interface directly because, as you say, using the Exporter interface with different context strings will yield different values. However, if this "Channel binding" exporter is defined as described, and is used by more than one thing, as the name suggests, then it will have all the same issues as those found by Karthik. Yes, other things that use the Exporter interface will be unaffected, but if two things use this binding then they could be vulnerable. Regards, Jonathan On Thu, 11 Mar 2021 at 21:56, Watson Ladd <watsonbl...@gmail.com> wrote: > On Wed, Mar 10, 2021 at 3:57 PM Jonathan Hoyland > <jonathan.hoyl...@gmail.com> wrote: > > > > IIUC a channel binding (in this context) provides a unique "name" for a > channel. > > In the case where two distinct protocols running over the top of TLS use > this definition, they will both get the same channel binding. > > This draft is using exporter instead since channel bindings died an > ignominious death at the hands of Karthikeyan Bhargavan and his > students. Because it uses exporters and registers a use in the > registry, the other exporter values will be distinct. > > Exporters are stronger, so I think this is less relevant. > > Sincerely, > Watson Ladd > -- > Astra mortemque praestare gradatim >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
