Re: draft-josefsson-password-auth-00.txt

[Nicolas Williams <Nicolas.Williams@xxxxxxx>]

On Thu, Mar 29, 2007 at 03:03:42PM +0200, Simon Josefsson wrote:
> My idea is to specify a challenge/response protocol that is (somewhat)
> agnostic to the framework (GSS-API or SASL) and then specify how that
> protocol is used in these two frameworks.  Since the wire protocol is
> highly influenced by GSS-API and SASL concepts, the mappings for how
> to use the protocol in GSS-API or SASL is just one page.  The

I guess it can be one page, since for GSS challenge/response password-
based mechs there won't be many name types available, thus not much
discussion of naming.  Right?  Maybe not: presumably acceptor names are
used to salt the password, in which case any name type goes and the mech
has to specify the relevant mappings from generic name syntax to
whatever the mech uses internally.  And there's the exported name token
format to consider also.

But in any case, it needn't be much text, and I've volunteered to write
that text.

[...]
> Comments?
> 
> I'm cc:ing this to the password-auth mailing list that I created for
> discussion of the document.  Some discussions of the document may be
> off-topic for the SASL/KITTEN lists, and the WG chairs may prefer to
> see it discussed elsewhere (let me know!), so consider dropping the
> IETF lists when starting such a thread.  To subscribe to the list, and
> for other resources related to this effort, see:

Not another mailing list... :/  :)

>        http://josefsson.org/password-auth/
> 
> Even if there isn't much uptake from the SASL community on this idea,
> I believe having a password-based GSS-API mechanism is an important
> contribution and I'll continue working on that.  How much the document
> talks about SASL will depend on the interest.  Through GS2, it will
> eventually be possible to use it in SASL anyway.

Agreed.

Nico
--