[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have

To: Chris Newman <Chris.Newman@xxxxxxx>
Subject: Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
From: Hallvard B Furuseth <h.b.furuseth@xxxxxxxxxxx>
Date: Tue, 11 Mar 2008 17:08:06 +0100
Cc: Kurt Zeilenga <Kurt.Zeilenga@xxxxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <9C18D563-B86C-4ED8-8312-F22578A11E63@xxxxxxxxx> <>
Sender: owner-ietf-sasl@xxxxxxxxxxxx

Chris Newman writes:
> Nice-to-have features:
> (...)
> * Textual protocol like CRAM-MD5 over binary protocol that's harder
>   to test/debug

I don't get this.  SASL is not a protocol.  If a textual protocol _uses_
SASL, it must turn SASL blobs into text - e.g. by base64-encoding them.
If the SASL mechanism also base64-encodes, we get base64(base64(data)).

If you are thinking of text vs ASN.1 I agree ASN.1 is harder to examine,
but there are plenty of middle ways.  E.g. a fixed-field format with a
field separator need not be textual.  And such binary fields could still
start with 'token=' to identify them when you read the protocol.

Another feature: Don't disclose the existence/absense of a user unless
authentication succeeds.  Or at least don't require it to be disclosed.
See my messages "Hide presence/absence of users in server (HEXA, SCRAM)"
of 30 Apr 2007.

Regarding the SCRAM draft, I hope there'll be a version soon which
spells out what each challenge and response consists of, and what the
server must remember (or be able to construct).  It's cumbersome to
dig around in the parameter descriptions in order to figure that out.

-- 
Hallvard

Follow-Ups:
- Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
  - From: Chris Newman
- Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
  - From: Arnt Gulbrandsen
- Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
  - From: Simon Josefsson

References:
- Clarifying the qualities we desire the DIGEST-MD5 replacement to have
  - From: Kurt Zeilenga
- Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
  - From: Chris Newman

Prev by Date: Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
Next by Date: Re: Holding gs2
Previous by thread: Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
Next by thread: Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
Index(es):
- Date
- Thread