[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Review Comments: draft-ietf-sacred-protocol-bss-00.txt

To: Stephen Farrell <stephen.farrell@xxxxxxxxxxxx>
Subject: Review Comments: draft-ietf-sacred-protocol-bss-00.txt
From: Dale Gustafson <dale.gustafson@xxxxxxxx>
Date: Mon, 03 Dec 2001 10:11:03 -0600
Cc: SACRED List <ietf-sacred@xxxxxxx>
List-archive: <http://www.imc.org/ietf-sacred/mail-archive/>
List-id: <ietf-sacred.imc.org>
List-unsubscribe: <mailto:ietf-sacred-request@imc.org?body=unsubscribe>
Sender: owner-ietf-sacred@xxxxxxxxxxxx

Hi Stephen,

( to the intended mailing list this time ...  :-)

A few comments on the latest revision of the SACRED protocol
specification.


2.1.4 Password Change

Perhaps the terminology can be clarified to differentiate the passwords
involved;  one password may be needed for the authentication/session
security method (when SRP-3 is used in this document); the other (2nd)
password is used to derive a secret key that provides persistent
encryption for the credential per se.

Some have suggested that server implementations may want to ensure the
two passwords are always the same (e.g., for user convenience).

>From a security standpoint, it would be preferable that the server does
not need to have access to the credential password -- or at least the
protocol does not require the server to handle the password in it's
plain text form for change password (or any other) function.


2.1.5 Credential Upload

The current text uses different forms of the Upload request to;  add a
new credential, update (replace) an existing credential, or delete a
credential.  This seems like it could lead to confusion when multiple
credentials are being accessed from several internet devices.

Client software should be able to allow the user to clearly see/verify
what they are overwriting or deleting (assuming that such decisions are
not always easily reversed).


2.2 Session Security

Allowing clients to support either authentication/session security
method (and requiring servers to support both) is a big workability
improvement.

This is of paramount importance for SACRED because fitting all needed
functions into memory constrained ROM or firmware based internet devices
is often way harder than it looks.  We may want to add some words to
that effect.


2.4 Handling Multiple Credentials for an Account

Similar comment to 2.1.5.

Should be possible for the user to manage multiple credentials on a
server in a fairly controlled fashion.


3.2 Credential Format

The format for xbulk:pkcs-15 may need to be defined in this document
(if/as needed to satisfy current IETF guidelines for referenced
standards).


4. BEEP Profile for SACRED

Stephen mentioned recently that SACRED is using BEEP but the XML groups
appear to be committed to SOAP and SAML.

Since the transactions defined in this document are very simple
(generally, a one message client request with a one message server
reply), it's not clear to me how much elegance we need at the session
layer other than setting up a security environment to protect the
transaction data during network transfer and clearly identifying the
data types.

We began with the simple notion of requiring user login via secure
password (or equivalent method) to ensure credentials are delivered to
the rightful user and no others.  I assume we'd strongly prefer to
retain that level of functionality and flexibility.

Is BEEP the right direction here?


5. IANA Considerations

 ... IANA registers the BEEP profile specified in Section 4 ...


6. Security Considerations

No mention of the need to limit password guesses via the network.  We
really need to mention the different forms of password guessing that
should be limited by servers.

Follow-Ups:
- Re: Review Comments: draft-ietf-sacred-protocol-bss-00.txt
  - From: Stephen Farrell

Prev by Date: Re: The future of SACRED
Next by Date: SACRED agenda for Salt Lake City
Previous by thread: The future of SACRED
Next by thread: Re: Review Comments: draft-ietf-sacred-protocol-bss-00.txt
Index(es):
- Date
- Thread