[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have

To: Chris Newman <Chris.Newman@xxxxxxx>
Subject: Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
From: Simon Josefsson <simon@xxxxxxxxxxxxx>
Date: Wed, 12 Mar 2008 14:55:14 +0100
Cc: Steven Simon <simon.s@xxxxxxxxx>, Kurt Zeilenga <Kurt.Zeilenga@xxxxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <> (Chris Newman's message of "Wed, 12 Mar 2008 09:15:51 -0500")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <9C18D563-B86C-4ED8-8312-F22578A11E63@xxxxxxxxx> <> <195DCF92-D71D-4FC2-A26C-484102649343@xxxxxxxxx> <>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Chris Newman <Chris.Newman@xxxxxxx> writes:

>> Desirable on-disk hash features:
>> * salted
>> * iteration count
>
> Obviously, I agree these are desirable as they're in SCRAM ;-).  I
> consider the iteration count necessary if the mechanism is to have any
> utility without TLS.

It may be useful to understand early on whether SCRAM without a
successful channel binding is going to be acceptable to the IETF
community and perhaps in particular to the IESG.

The obvious problem is that authentication without session data
integrity protection is vulnerable to active attackers hi-jacking the
session after successful authentication.

I think it would be acceptable to have an option whereby if peers
actively accepts the threat, the protocol works even if there is no
session data protection.

/Simon

References:
- Clarifying the qualities we desire the DIGEST-MD5 replacement to have
  - From: Kurt Zeilenga
- Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
  - From: Chris Newman
- Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
  - From: Steven Simon
- Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
  - From: Chris Newman

Prev by Date: Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
Next by Date: Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
Previous by thread: Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
Next by thread: Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have
Index(es):
- Date
- Thread