[
https://issues.apache.org/jira/browse/KAFKA-15855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Greg Harris updated KAFKA-15855:
--------------------------------
Component/s: KafkaConnect
(was: connect)
> RFC 9266: Channel Bindings for TLS 1.3 support | SCRAM-SHA-*-PLUS variants
> --------------------------------------------------------------------------
>
> Key: KAFKA-15855
> URL: https://issues.apache.org/jira/browse/KAFKA-15855
> Project: Kafka
> Issue Type: Bug
> Components: core, KafkaConnect, security
> Reporter: Neustradamus
> Priority: Critical
> Labels: security
>
> Dear Apache, and Kafka teams,
> Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?
> - [https://datatracker.ietf.org/doc/html/rfc9266]
> Little details, to know easily:
> - tls-unique for TLS =< 1.2
> - tls-server-end-point
> - tls-exporter for TLS = 1.3
> It is needed for SCRAM-SHA-*-PLUS variants.
> Note: Some SCRAM-SHA are already supported.
> I think that you have seen the jabber.ru MITM and Channel Binding is the
> solution:
> - [https://notes.valdikss.org.ru/jabber.ru-mitm/]
> - [https://snikket.org/blog/on-the-jabber-ru-mitm/]
> - [https://www.devever.net/~hl/xmpp-incident]
> - [https://blog.jmp.chat/b/certwatch]
> IETF links:
> SCRAM-SHA-1(-PLUS):
> - RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM) SASL
> and GSS-API Mechanisms: [https://tools.ietf.org/html/rfc5802] // July 2010
> - RFC6120: Extensible Messaging and Presence Protocol (XMPP): Core:
> [https://tools.ietf.org/html/rfc6120] // March 2011
> SCRAM-SHA-256(-PLUS):
> - RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and
> Security Layer (SASL) Mechanisms: [https://tools.ietf.org/html/rfc7677] //
> 2015-11-02
> - RFC8600: Using Extensible Messaging and Presence Protocol (XMPP) for
> Security Information Exchange: [https://tools.ietf.org/html/rfc8600] //
> 2019-06-21:
> [https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA]
> SCRAM-SHA-512(-PLUS):
> - [https://tools.ietf.org/html/draft-melnikov-scram-sha-512]
> SCRAM-SHA3-512(-PLUS):
> - [https://tools.ietf.org/html/draft-melnikov-scram-sha3-512]
> SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL
> and GSS-API Mechanisms:
> - [https://tools.ietf.org/html/draft-melnikov-scram-bis]
> -PLUS variants:
> - RFC5056: On the Use of Channel Bindings to Secure Channels:
> [https://tools.ietf.org/html/rfc5056] // November 2007
> - RFC5929: Channel Bindings for TLS: [https://tools.ietf.org/html/rfc5929] //
> July 2010
> - Channel-Binding Types:
> [https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml]
> - RFC9266: Channel Bindings for TLS 1.3:
> [https://tools.ietf.org/html/rfc9266] // July 2022
> IMAP:
> - RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2:
> [https://tools.ietf.org/html/rfc9051] // August 2021
> LDAP:
> - RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing
> Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets:
> [https://tools.ietf.org/html/rfc5803] // July 2010
> HTTP:
> - RFC7804: Salted Challenge Response HTTP Authentication Mechanism:
> [https://tools.ietf.org/html/rfc7804] // March 2016
> JMAP:
> - RFC8621: The JSON Meta Application Protocol (JMAP) for Mail:
> [https://tools.ietf.org/html/rfc8621] // August 2019
> 2FA:
> - Extensions to Salted Challenge Response (SCRAM) for 2 factor
> authentication: [https://tools.ietf.org/html/draft-ietf-kitten-scram-2fa]
> Thanks in advance.
> Linked to:
> - [https://github.com/scram-sasl/info/issues/1]
> Note: This ticket can be for other Apache projects too.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
