[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)

To: Simon Josefsson <simon@xxxxxxxxxxxxx>
Subject: Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
From: Nicolas Williams <Nicolas.Williams@xxxxxxx>
Date: Tue, 18 Mar 2008 11:14:10 -0500
Cc: Chris Newman <Chris.Newman@xxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <878x0gghbi.fsf@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Mail-followup-to: Simon Josefsson <simon@xxxxxxxxxxxxx>, Chris Newman <Chris.Newman@xxxxxxx>, ietf-sasl@xxxxxxx
References: <877ig12v5g.fsf@xxxxxxxxxxxxxxxxxxx> <20080317171317.GB16998@xxxxxxx> <> <20080318023527.GS16998@xxxxxxx> <878x0gghbi.fsf@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Mutt/1.5.7i

On Tue, Mar 18, 2008 at 04:52:49PM +0100, Simon Josefsson wrote:
> Nicolas Williams <Nicolas.Williams@xxxxxxx> writes:
> > Not being able to enroll once but authenticate to many servers seems
> > obnoxious.
> 
> I think this is out of scope for a simple password based password
> mechanism.
> 
> If you have an infrastructure like the one you describe, either Kerberos
> (if you prefer symmetric encryption) or TLS+EXTERNAL (if you prefer
> asymmetric encryption) seems like a better approach to me.

Hmmm, I think I can live with this answer, but I also think that a SCRAM
with this option will have sufficiently different properties from
Kerberos that in many case it could be preferable (specifically: no
online infrastructure requirement for the client).

> If you really want to achieve something like you want, wouldn't the
> following work?  Enroll the user once, and then ask the user to use a
> username like 'user@xxxxxxxxxxxxx', 'user@xxxxxxxxxxxxx' for each of the
> servers in that realm.  The enrollment process could push out the
> password-equivalent hash to each server.

Ick.

> In my experience, the realms feature was not used widely with
> DIGEST-MD5, but made the specification more complex.

OK, I withdraw this proposal.

Follow-Ups:
- Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
  - From: Simon Josefsson

References:
- Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Simon Josefsson
- Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
  - From: Nicolas Williams
- Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
  - From: Chris Newman
- Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
  - From: Nicolas Williams
- Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
  - From: Simon Josefsson

Prev by Date: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Next by Date: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Previous by thread: Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
Next by thread: Re: Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)
Index(es):
- Date
- Thread