[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)

To: Chris Newman <Chris.Newman@xxxxxxx>
Subject: Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
From: Nicolas Williams <Nicolas.Williams@xxxxxxx>
Date: Mon, 17 Mar 2008 21:35:27 -0500
Cc: Simon Josefsson <simon@xxxxxxxxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Mail-followup-to: Chris Newman <Chris.Newman@xxxxxxx>, Simon Josefsson <simon@xxxxxxxxxxxxx>, ietf-sasl@xxxxxxx
References: <877ig12v5g.fsf@xxxxxxxxxxxxxxxxxxx> <20080317171317.GB16998@xxxxxxx> <>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Mutt/1.5.7i

On Mon, Mar 17, 2008 at 05:56:44PM -0700, Chris Newman wrote:
> I am opposed to this suggestion, leaning in the direction of strongly 
> opposed.
> 
> This is one of the sources of interoperability problems for DIGEST-MD5 
> (client implementers didn't understand what the domain/realm meant).
> 
> It makes the client UI more complex and thus creates a significant 
> complexity barrier (far more significant than any of the crypto algorithm 
> issues).
> 
> If the domain matters, users can just use an email-style login identifier 
> (e.g., chris.newman@xxxxxxx as my login identifier).

This is not about a domain in the username!

This is about enrolling in a realm so that many servers in that realm
can authenticate the same users but without being able to impersonate
those users to any other servers in that realm.

Without this feature the only way to do the above is by having the
servers authenticate to a realm server, pass through SCRAM messages and
then get the results from the realm server.

Not being able to enroll once but authenticate to many servers seems
obnoxious.

Nico
--

Follow-Ups:
- Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
  - From: Simon Josefsson
- Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
  - From: Steven Simon

References:
- Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Simon Josefsson
- Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
  - From: Nicolas Williams
- Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
  - From: Chris Newman

Prev by Date: Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
Next by Date: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Previous by thread: Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
Next by thread: Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
Index(es):
- Date
- Thread