[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crypto agility in SCRAM + draft-josefsson-password-auth?

To: ietf-sasl@xxxxxxx
Subject: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
From: "Frank Ellermann" <nobody@xxxxxxxxxxxxxxxxx>
Date: Mon, 17 Mar 2008 19:38:43 +0100
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Organization: <http://purl.net/xyzzy>
References: <877ig12v5g.fsf@xxxxxxxxxxxxxxxxxxx>
Reply-to: "Frank Ellermann" <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@xxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx

Simon Josefsson wrote:

> Thus my suggestion is to hard code the crypto algorithm in SCRAMng,
> following the simplicity of CRAM-MD5.

> What do others think about this proposal?

Strong ACK, no complex variants, folks wishing SHA-2* should get a
SASL mechanism, I'd like to see MD5, that can get a different name,
and offering an alternative to HMAC deserves its own draft with
its own security considerations explaining "why".  Skip SHA-1, for
true believers in SHA-* that's too soon obsolete (2010).   And for
folks wanting a "free" algorithm nothing is wrong with HMAC-MD5.

 Frank

Follow-Ups:
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Simon Josefsson

References:
- Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Simon Josefsson

Prev by Date: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
Next by Date: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Previous by thread: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
Next by thread: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Index(es):
- Date
- Thread