[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: protocol progress...

To: Tom Wu <tom@xxxxxxxxx>
Subject: Re: protocol progress...
From: Magnus Nystrom <magnus@xxxxxxxxxxxxxxx>
Date: Fri, 26 Apr 2002 18:56:29 +0200 (W. Europe Daylight Time)
Cc: ietf-sacred@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-sacred/mail-archive/>
List-id: <ietf-sacred.imc.org>
List-unsubscribe: <mailto:ietf-sacred-request@imc.org?body=unsubscribe>
Sender: owner-ietf-sacred@xxxxxxxxxxxx

Hi Tom,

Without having validated the statement, I cite RFC 2831:

"Offline dictionary attacks are defeated if the client chooses a fresh
 nonce for each authentication, as this specification requires."

Regarding your second point, and despite the fact that I am sympathetic to
it, I don't think that was a requirement in RFC 3157. But I could well be
wrong (don't have proper access to it right now).

BR,
-- Magnus

On Mon, 22 Apr 2002, Tom Wu wrote:

> Magnus Nystrom wrote:
> > Phoenix Technologies' statement can be found at:
> >
> > http://www.ietf.org/ietf/IPR/PHOENIX-SRP-RFC2945.txt
> >
> > I think we will have to accept that the IPR situation is unclear at the
> > moment, and will continue to be so for some time. As long as we base our
> > security on a framework like SASL, however, it will always be possible to
> > revisit this issue later on without extensive re-architecturing.
>
> As Keith pointed out, it is up to the individual WG member to evaluate
> the validity of IPR claims.  My own examination of the relevant patent
> and the circumstances surrounding it indicates that it does not have
> sufficient merit to prevent royalty-free implementation of RFC 2945.
>
> > Going back to Stephen's original posting therefore, one possible existing
> > SASL mechanism could be Digest-MD5, documented in RFC 2831. Digest-MD5
> > is not encumbered, offer security services such as integrity protection,
> > and does offer some advantages over other password-based mechanisms such
> > as CRAM-MD5.
>
> But it is still vulnerable to offline password-guessing.  Has there been
> some recently-established consensus to loosen the security requirements
> to accommodate a weaker authentication mechanism?
>
> > -- Magnus
>
> Tom
>
> > On Mon, 22 Apr 2002, Alexey Melnikov wrote:
> >
> >
> >>Eamon O'Tuathail wrote:
> >>
> >>
> >>>Tom,
> >>>
> >>>
> >>>>Stanford's royalty-free IPR statement is on file with the IETF.
> >>>>
> >>>True, and that is much appreciated, but ...
> >>>
> >>>.. has any company/organization other than Stanford make IPR claims
> >>>about SRP? If so, what are those claims, how valid are they, and are any
> >>>of those making the claims NOT prepared to offer royalty-free IPR on
> >>>them?
> >>>
> >>That is exactly the case. I am not in any shape or form an expert on IPR
> >>issues, but I've got impression that some organization (other than Stanford)
> >>has IPR claims for SRP. Can somebody clarify that?
> >>
> >>
> >>>If the technically excellent SRP were totally free from royalty-bearing
> >>>IPR claims, I would be happy to see it used, otherwise a different
> >>>
>
>
>
> --
> Tom Wu
> Principal Software Engineer
> Arcot Systems
> (408) 969-6124
> "The Borg?  Sounds Swedish..."
>
>

-- Magnus

Follow-Ups:
- Re: protocol progress...
  - From: Magnus Nystrom

References:
- Re: protocol progress...
  - From: Tom Wu

Prev by Date: SACRED Framework -04
Next by Date: Re: protocol progress...
Previous by thread: Re: protocol progress...
Next by thread: Re: protocol progress...
Index(es):
- Date
- Thread