Re: Crypto agility in SCRAM + draft-josefsson-password-auth?

[Sam Hartman <hartmans-ietf@xxxxxxx>]

>>>>> "Chris" == Chris Newman <Chris.Newman@xxxxxxx> writes:

    Chris> I support use of HMAC.  CRAM-MD5 demonstrated it is
    Chris> deployable in apps, there are published test vectors in
    Chris> RFCs for it we can reference, and although the security
    Chris> benefit is not overwhelming IMHO, it has clear benefits due
    Chris> to the attacks on concatenated hashes.

I agree.

    Chris> I am not convinced the security value of PBKDF-2 offsets
    Chris> the additional complexity it adds.  Remember there is
    Chris> negative security benefit if we use PBKDF-2 and the
    Chris> additional complexity pushes the mechanism over the edge
    Chris> into the "not worth implementing" category.  It may be not
    Chris> a lot of complexity, but every bit matters.

I support some mechanism for taking a password and converting it to a
key that is generally accepted in the security community.  I would
strongly object to rolling our own.  Scram currently rolls its own;
pbkdf-2 is generally accepted.  If you can point to another generally
accepted mechanism that is simpler, we should consider it.

    Chris> I support using the mechanism name for algorithm agility
    Chris> and not having sub-negotiation.  This is a tradeoff.  

Is it?  I'm not sure sub-negotiation would be valuable for this
mechanism even if we could make it work.