[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Review Comments: draft-ietf-sacred-protocol-bss-00.txt
( to the intended mailing list this time ... :-)
A few comments on the latest revision of the SACRED protocol
2.1.4 Password Change
Perhaps the terminology can be clarified to differentiate the passwords
involved; one password may be needed for the authentication/session
security method (when SRP-3 is used in this document); the other (2nd)
password is used to derive a secret key that provides persistent
encryption for the credential per se.
Some have suggested that server implementations may want to ensure the
two passwords are always the same (e.g., for user convenience).
>From a security standpoint, it would be preferable that the server does
not need to have access to the credential password -- or at least the
protocol does not require the server to handle the password in it's
plain text form for change password (or any other) function.
2.1.5 Credential Upload
The current text uses different forms of the Upload request to; add a
new credential, update (replace) an existing credential, or delete a
credential. This seems like it could lead to confusion when multiple
credentials are being accessed from several internet devices.
Client software should be able to allow the user to clearly see/verify
what they are overwriting or deleting (assuming that such decisions are
not always easily reversed).
2.2 Session Security
Allowing clients to support either authentication/session security
method (and requiring servers to support both) is a big workability
This is of paramount importance for SACRED because fitting all needed
functions into memory constrained ROM or firmware based internet devices
is often way harder than it looks. We may want to add some words to
2.4 Handling Multiple Credentials for an Account
Similar comment to 2.1.5.
Should be possible for the user to manage multiple credentials on a
server in a fairly controlled fashion.
3.2 Credential Format
The format for xbulk:pkcs-15 may need to be defined in this document
(if/as needed to satisfy current IETF guidelines for referenced
4. BEEP Profile for SACRED
Stephen mentioned recently that SACRED is using BEEP but the XML groups
appear to be committed to SOAP and SAML.
Since the transactions defined in this document are very simple
(generally, a one message client request with a one message server
reply), it's not clear to me how much elegance we need at the session
layer other than setting up a security environment to protect the
transaction data during network transfer and clearly identifying the
We began with the simple notion of requiring user login via secure
password (or equivalent method) to ensure credentials are delivered to
the rightful user and no others. I assume we'd strongly prefer to
retain that level of functionality and flexibility.
Is BEEP the right direction here?
5. IANA Considerations
... IANA registers the BEEP profile specified in Section 4 ...
6. Security Considerations
No mention of the need to limit password guesses via the network. We
really need to mention the different forms of password guessing that
should be limited by servers.