Re: RFC 9266: Channel Bindings for TLS 1.3 support

On Fri, Nov 21, 2025 at 11:17 AM Nico Williams <nico(at)cryptonector(dot)com> wrote:
> Well, you're right that if we're talking about a Heartbleed type leak
> then what I said does not follow. However loss of the TLS server
> credential's private keys is still close enough to catastrophic.

Sure, but it's nice that SCRAM (the only thing we use bindings for at
the moment) makes it slightly less catastrophic. I just wanted to make
sure that the property of "attacker must have the private key and the
SCRAM verifiers to fully masquerade" had not collapsed into "private
key is sufficient" for some reason.

> That reminds me of another motivation for channel binding: protection
> against wayward CAs. In the WebPKI this is reasonably well accomplished
> by certificate transparency, but it's still nice to be able to use CB to
> protect against that. In corporate networks (where PG is mostly
> deployed, no?) this is not that interesting a consideration.

"Mostly" is probably still accurate? But WebPKI is more important for
us than it used to be, I think. (And with the recent demise of OCSP,
additional server authentication factors may help fill the gap for
some people, maybe?)

Thanks!
--Jacob