[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SCRAM with(out) GS2 (was Re: Holding gs2)
- To: Arnt Gulbrandsen <arnt@xxxxxxxx>
- Subject: Re: SCRAM with(out) GS2 (was Re: Holding gs2)
- From: Nicolas Williams <Nicolas.Williams@xxxxxxx>
- Date: Wed, 30 Jan 2008 10:22:09 -0600
- Cc: ietf-sasl@xxxxxxx, Alexey Melnikov <alexey.melnikov@xxxxxxxxx>, Chris Newman <Chris.Newman@xxxxxxx>, Sam Hartman <hartmans-ietf@xxxxxxx>, Simon Josefsson <simon@xxxxxxxxxxxxx>
- In-reply-to: <b6X5oHIyQbgfVbXrtzmq7A.md5@xxxxxxxxxxxxxxxxxxx>
- List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
- List-id: <ietf-sasl.imc.org>
- List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
- Mail-followup-to: Arnt Gulbrandsen <arnt@xxxxxxxx>, ietf-sasl@xxxxxxx, Alexey Melnikov <alexey.melnikov@xxxxxxxxx>, Chris Newman <Chris.Newman@xxxxxxx>, Sam Hartman <hartmans-ietf@xxxxxxx>, Simon Josefsson <simon@xxxxxxxxxxxxx>
- References: <tslzlv55mon.fsf@xxxxxxx> <87bq7hx536.fsf@xxxxxxxxxxxxxxxxxxx> <tslk5m2ep8f.fsf@xxxxxxx> <87myqxnc8b.fsf@xxxxxxxxxxxxxxxxxxx> <479CCD23.4050600@xxxxxxxxx> <20080128155952.GZ12865@xxxxxxx> <A700A598DE5875E9C792C999@xxxxxxxxxxxxxxxxxx> <b6X5oHIyQbgfVbXrtzmq7A.md5@xxxxxxxxxxxxxxxxxxx>
- Sender: owner-ietf-sasl@xxxxxxxxxxxx
- User-agent: Mutt/1.5.7i
On Wed, Jan 30, 2008 at 12:21:08PM +0100, Arnt Gulbrandsen wrote:
> Chris Newman writes:
> >I would personally have no problem implementing an all-binary SCRAM
> >regardless of how ugly the ASN.1 and binary encoding happens to be
> >(it just requires more lines of parsing code since I have to include
> >all the binary->text logic for debugging).
>
> My two cents: I want SCRAM as a replacement for Digest-MD5 and to some
> degree Cram-MD5. That may not be a good reason, but it's mine, and I
> worry that GS2 hurts rather than helps.
>
> As I see it, the people I want to implement SCRAM have Cram-MD5 and/or
> (bad) Digest-MD5 implementations, and most of them don't have
> GSS-API/GS2 implementations. For these people, basing SCRAM on GS2
> means that they must read and understand more RFC text and their
> implementations will be more complex. Chris has no problem with that,
> but I fear that many people do. More text to read and understand means
> a greater reluctance to implement, and in turn a slower pace of
> adoption. More complexity means worse interoperation.
We can deal with this, and we've already agreed to, by providing two
descriptions of the mechanism, one without reference to the GSS-API nor
GS2, and one with.
The simplified GS2 option we've been discussing would make that task
much, much easier, and would make the design of SCRAM much simpler also.
Thus I am strongly in favor of at least adding the channel-binding-only
option to GS2. I am also leaning towards being in favor of removing
support for security layers and security layer negotiation from GS2 as
well -- that would another significant simplification. On the latter
point I'd like to hear from Simon and others whether they are OK with
GS2 (GS3, whatever) mechanisms not providing any security layers.
Nico
--