Re: Crypto agility in SCRAM + draft-josefsson-password-auth?

["Frank Ellermann" <nobody@xxxxxxxxxxxxxxxxx>]

Chris Newman wrote:
 
> CRAM-MD5 demonstrated it is deployable in apps

+1
 
> I am not convinced the security value of PBKDF-2
> offsets the additional complexity it adds.

Without asking Google or similar tricks, I have
not the faintest idea what "PBDKDF-2" is.  Is it
worse than "APR1" ?  That is where I'd draw the
line, scripts taking a minute to shuffle 128 bits
on low end platforms are a PITA.

> It may be not a lot of complexity, but every 
> bit matters.

I'm more interested in nanoseconds than in bits,
but I guess that means we agree.

> Everyone's code toolkit includes MD5, but use
> of SHA1 is quite rare in applications at the
> moment.  Switching away from MD5 will create a 
> deployment barrier.

+1  I don't think SHA-1 is still rare, but it is
a known dead end, and using MD5 as least common
denominator makes sense.  Very unfair comparison,
MD5 : SHA-1 : xxx ~ ftp : gopher : http

> it doesn't matter how much more secure SHA1 is 
> than MD5 if the SHA1-based mechanism doesn't
> deploy and an MD5-based one might have deployed.

SHA-1 shuffles a few more bits.  I'm mystified 
when say RFC 4122 claims that UUID v5 with 123
bits entropy is "better" than UUID v3 with the
same number of bits, only because v5 uses SHA-1.

After that they go to publish one example using
v3 and apparently get it wrong, in an RFC, and
in an equivalent ITU standard.  

 Frank