[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)

To: Chris Newman <Chris.Newman@xxxxxxx>
Subject: Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
From: Simon Josefsson <simon@xxxxxxxxxxxxx>
Date: Tue, 18 Mar 2008 16:52:49 +0100
Cc: ietf-sasl@xxxxxxx
In-reply-to: <20080318023527.GS16998@xxxxxxx> (Nicolas Williams's message of "Mon, 17 Mar 2008 21:35:27 -0500")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <877ig12v5g.fsf@xxxxxxxxxxxxxxxxxxx> <20080317171317.GB16998@xxxxxxx> <> <20080318023527.GS16998@xxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Nicolas Williams <Nicolas.Williams@xxxxxxx> writes:

> On Mon, Mar 17, 2008 at 05:56:44PM -0700, Chris Newman wrote:
>> I am opposed to this suggestion, leaning in the direction of strongly 
>> opposed.
>> 
>> This is one of the sources of interoperability problems for DIGEST-MD5 
>> (client implementers didn't understand what the domain/realm meant).
>> 
>> It makes the client UI more complex and thus creates a significant 
>> complexity barrier (far more significant than any of the crypto algorithm 
>> issues).
>> 
>> If the domain matters, users can just use an email-style login identifier 
>> (e.g., chris.newman@xxxxxxx as my login identifier).
>
> This is not about a domain in the username!
>
> This is about enrolling in a realm so that many servers in that realm
> can authenticate the same users but without being able to impersonate
> those users to any other servers in that realm.
>
> Without this feature the only way to do the above is by having the
> servers authenticate to a realm server, pass through SCRAM messages and
> then get the results from the realm server.
>
> Not being able to enroll once but authenticate to many servers seems
> obnoxious.

I think this is out of scope for a simple password based password
mechanism.

If you have an infrastructure like the one you describe, either Kerberos
(if you prefer symmetric encryption) or TLS+EXTERNAL (if you prefer
asymmetric encryption) seems like a better approach to me.

If you really want to achieve something like you want, wouldn't the
following work?  Enroll the user once, and then ask the user to use a
username like 'user@xxxxxxxxxxxxx', 'user@xxxxxxxxxxxxx' for each of the
servers in that realm.  The enrollment process could push out the
password-equivalent hash to each server.

In my experience, the realms feature was not used widely with
DIGEST-MD5, but made the specification more complex.

/Simon

Follow-Ups:
- Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
  - From: Nicolas Williams
- Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
  - From: Jeffrey Hutzelman

References:
- Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Simon Josefsson
- Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
  - From: Nicolas Williams
- Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
  - From: Chris Newman
- Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
  - From: Nicolas Williams

Prev by Date: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Next by Date: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Previous by thread: Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
Next by thread: Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
Index(es):
- Date
- Thread