[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

draft-ietf-sacred-framework-02.zip

To: SACRED List <ietf-sacred@xxxxxxx>
Subject: draft-ietf-sacred-framework-02.zip
From: Dale Gustafson <dale.gustafson@xxxxxxxx>
Date: Thu, 19 Jul 2001 09:47:14 -0500
Cc: Mike Just <mike.just@xxxxxxxxxxx>, Magnus Nystrom <magnus@xxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sacred/mail-archive/>
List-id: <ietf-sacred.imc.org>
List-unsubscribe: <mailto:ietf-sacred-request@imc.org?body=unsubscribe>
Sender: owner-ietf-sacred@xxxxxxxxxxxx

Hi All,

In the attached zip file, please find draft-02 of the SACRED protocol framework
document.  We have captured the applicable SACRED mailing list archives and
incorporated changes that address as many comments as possible.  The changes
that have been made to draft-01 are described in detail (please see the last
section of this msg).  My apologies to the list for the delay in getting this
out -- I'd have preferred to complete this draft before the end of April but I
was not able to do so.

Most importantly, we'd like to thank all of the list members who's comments and
suggestions helped refine this latest draft:  Stephen Farrell, Magnus Nystrom,
John Linn, Radia Perlman, Charlie Kaufmann, Tom Wu, John Noerenberg, Mike Just,
Tom Jordan, Michael R. Gettes, Menno Pieters, David P. Jablon, Martin Rex, Eric
Norman, Peter Gutmann, and others.

Important Issue -- Please Comment
---------------------------------
Magnus, Mike, and I have had several discussions about the value of continuing
to refine the framework document. We decided to release this latest draft
(informally) for two reasons:

1) We felt it was appropriate to capture the list comments to date and to
incorporate all applicable list comments where it appeared we had reached a
rough group consensus.

2) We wanted to contine with the plan outlined in the March 2001 meeting
minutes.

We feel that this is a good issue to put before the list at this time:  Should
we continue to produce (the final) draft-03 of this framework document?
Alternatively, should the framework document be capped and portions of it be
knit into the specific protocol document(s)?  Any other suggestions?

Please voice your opinions on further framework document efforts and comment on
this new draft as appropriate.  I'll be traveling next week and I believe Magnus
is also on vacation so we may not be able to respond immediately (depending on
Mike's availability :-) but will surely do so as soon as possible thereafter.

Thanks and Best Regards,

Dale Gustafson



------------ framework-02 change list --------------------

2.1 Definitions

     a) expanded the definition of "secured credential"

     b) added a definition for "strong password protocol"

2.2 Credentials

     a) clarified that credentials are protected by two distinct encryption
     layers, one that is permanently part of the credential and a second
     that is applied over the credential during network transfer.

2.3 Network Architecture

     a) added a note indicating that protocol 2 (credential server -
     credential store) and protocol 3 (client - credential store) are
     related to protocol 1 (client - credential server) but currently out
     of scope for standardization.

     b) added a note indicating that administrator <-> credential server
     protocols are currently out of scope for standardization.

3.0 Authentication Methods

     a) added a summary of general requirements for all SACRED user
     authentication methods, including a reference to section 3.1 of the
     SACRED requirements document, Vulnerabilities.

3.1 Strong Password Protocols

     a) changed terminology to "Strong Password Protocol" throughout.

     b) added a reference to identified strong password protocols that
     might apply.

5.4 Credential Management

     a) added a note indicating that complex operations (add user, remove
     user, change authentication password, list available credentials)
     could be constructed using the basic operations described in this
     document.

6.0 Credentials

     a) rewrote and expanded this section to amplify the rationale for
     selecting a single mandatory-to-implement credential format and to
     indicate that additional optional formats may be added (assuming
     adequate integrity and privacy functionality is included).

6.1 PKCS #12

     a) clarified that a PKCS #12 credential may be integrity protected via
     either digital signature or SHA-1 HMAC.

     b) clarified that a PKCS #12 credential would likely be privacy
     protected using password-based-encryption.

8.0 Security Considerations

     a) added a note indicating that servers should protect against
     "password guessing", either by trying multiple passwords against a
     single user account or by trying the same password against multiple
     user accounts.

     b) added a note that clients should protect against the user
     inadvertently entering her authentication password in the user name
     field (and thus sending the password across the network "in the
     clear").

References

     a) updated the reference to SACRED Requirements draft-03.

     b) updated the reference to the PDM authentication protocol
     specification.

     c) added reference documents for DH-EKE.

Editing changes throughout the document.

Attachment: draft-ietf-sacred-framework-02.zip
Description: Zip compressed data

Prev by Date: Re: I-D ACTION:draft-ietf-sacred-protocol-beep-pdm-00.txt
Next by Date: Document Action: Securely Available Credentials - Requirements to Informational
Previous by thread: [Fwd: Comments on draft-ietf-sacred-protocol-beep-pdm-00]
Next by thread: Document Action: Securely Available Credentials - Requirements to Informational
Index(es):
- Date
- Thread