[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have

To: Hallvard B Furuseth <h.b.furuseth@xxxxxxxxxxx>
Subject: Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
From: Simon Josefsson <simon@xxxxxxxxxxxxx>
Date: Wed, 12 Mar 2008 13:53:58 +0100
Cc: Chris Newman <Chris.Newman@xxxxxxx>, Kurt Zeilenga <Kurt.Zeilenga@xxxxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <hbf.20080312fujk@xxxxxxxxxxxxx> (Hallvard B. Furuseth's message of "Wed, 12 Mar 2008 10:12:57 +0100")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <9C18D563-B86C-4ED8-8312-F22578A11E63@xxxxxxxxx> <> <hbf.20080311nead@xxxxxxxxxxxxx> <87iqztjjai.fsf@xxxxxxxxxxxxxxxxxxx> <hbf.20080312fujk@xxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Hallvard B Furuseth <h.b.furuseth@xxxxxxxxxxx> writes:

> Simon Josefsson writes:
>>Hallvard B Furuseth <h.b.furuseth@xxxxxxxxxxx> writes:
>>> I don't get this.  SASL is not a protocol.  If a textual protocol _uses_
>>> SASL, it must turn SASL blobs into text - e.g. by base64-encoding them.
>> (...)
>> Hex encoding the data as well doesn't cost much, and allows for simpler
>> string handling in some programming languages.
>
> Programs that treat SASL blobs as text are broken and possibly a
> security hazard.  At least unless they check the syntax first.
> (For C, that the blob contains no '\0'.)

Sure, but internally in a mechanism, using text can simplify parsing and
debugging for some programming languages.

(But it can also complicate parsing... see DIGEST-MD5)

I don't feel strongly about it, but it may be a good idea.  There is
precedent given PLAIN, CRAM-MD5 and DIGEST-MD5.

/Simon

References:
- Clarifying the qualities we desire the DIGEST-MD5 replacement to have
  - From: Kurt Zeilenga
- Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
  - From: Chris Newman
- Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
  - From: Hallvard B Furuseth
- Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
  - From: Simon Josefsson
- Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
  - From: Hallvard B Furuseth

Prev by Date: Re: Digest-MD5 to Historic
Next by Date: Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
Previous by thread: Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
Next by thread: Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
Index(es):
- Date
- Thread