[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: which is our DIGEST-MD5 successor?

To: Tom Yu <tlyu@xxxxxxx>
Subject: Re: which is our DIGEST-MD5 successor?
From: Simon Josefsson <simon@xxxxxxxxxxxxx>
Date: Mon, 10 Mar 2008 23:47:42 +0100
Cc: ietf-sasl@xxxxxxx
In-reply-to: <ldvhcfeqosf.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> (Tom Yu's message of "Mon, 10 Mar 2008 16:58:40 -0400")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <ldvhcfeqosf.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Tom Yu <tlyu@xxxxxxx> writes:

> We have had several password-based SASL mechanism proposals submitted
> to the WG for the purpose of replacing DIGEST-MD5.  Much of our
> discussion has centered on SCRAM, but I would like to make sure that
> we have consensus behind SCRAM and that all proposals presented to us
> have been adequately considered.
>
> I believe the HEXA proposal has been merged into SCRAM.  Simon
> Josefsson has also submitted a password-based mechanism.  During
> IETF70, I had misunderstood Simon's intention with this document and
> believed that he was withdrawing it.  Simon has since stated that he
> intends to continue pursuing his document.  The document remains
> expired, as far as I can tell, so this may not be relevant anymore.
> (Simon, do you intend to renew the document?)

Let me clarify: given that there weren't much interest from the SASL
community, I didn't think there were any point in describing the SASL
mappings of the GSS-API mechanism that my document specifies.  I may
have said that I would retire that part of the document.  My intention
is still to pursue the rest of the document as a normal GSS-API
mechanism.  I always wanted it possible to use the mechanism with GS2,
and when implementing I would probably use that as the first test case.

I do intend to pursue the GSS-API mechanism part of that document, but
alas haven't had time to implement it yet.  My document doesn't
necessarily have to be an IETF document though.  If SCRAM evolves into a
GSS-API mechanism, I would consider to use that instead, and drop my
proposal.  Or we could merge SCRAM and my draft, if people can agree on
the design.  My requirements are that it should be a GSS-API mechanism
and that it should use hashing, and not be specific to the SASL context.
I don't think I have other strong requirements.

A SASL-specific password-mechanism is likely to be simpler than a
GSS-API mechanism from a specification complexity point of view.  If
people want a dead simple SASL password mechanism specification that do
not mention GSS-API, I don't think that approach is compatible with my
goals.  Then we'll end up with two solutions for these two different
goals.

> I think Chris Newman said during the WG session at IETF70 that he
> believed there was nothing in Simon's document that was not in SCRAM,
> apart from a few paragraphs about making the protocol consistent with
> GS2.  I later realized that Chris is listed as an author of SCRAM, and
> would like additional opinions.

SCRAM isn't a GSS-API mechanism, as far as I know, so it fails the first
criteria I had when writing my password-auth document.  I must admit
that I haven't reviewed SCRAM since it was initially discussed.  Where
can I find the latest SCRAM document?

For reference, the latest version of my password document is available
from <http://josefsson.org/password/>.

/Simon

Follow-Ups:
- Re: which is our DIGEST-MD5 successor?
  - From: Jeffrey Hutzelman
- Re: which is our DIGEST-MD5 successor?
  - From: Frank Ellermann

References:
- which is our DIGEST-MD5 successor?
  - From: Tom Yu

Prev by Date: which is our DIGEST-MD5 successor?
Next by Date: Re: which is our DIGEST-MD5 successor?
Previous by thread: which is our DIGEST-MD5 successor?
Next by thread: Re: which is our DIGEST-MD5 successor?
Index(es):
- Date
- Thread