Re: Clarifying the qualities we desire the DIGEST-MD5 replacement to have

[Simon Josefsson <simon@xxxxxxxxxxxxx>]

Kurt Zeilenga <Kurt.Zeilenga@xxxxxxxxx> writes:

> A question came up off-list which I think needs to be explicitly
> addressed in the charter text.
> 	While the mechanism provide a security layer?
>
> From list discussions, I think the answer is:
> 	The replacement mechanism is expected not to provide a
> security layer itself, instead rely on
> 	security services provided at a lower layer (e.g., TLS) and
> channel bindings.
>
> I recommend inserting this sentence just before "The WG is expected to
> strike..." and deleting the "channel binding" quality.

+1

> Also, as it is desirable to have a shorter list of qualities, I also
> recommend deleting "algorithm agility" and "minimal roundtrips"
> qualities.

I think crypto algorithm agility may be more harmful than useful, so +1.
SASL itself is crypto agile anyway.

/Simon

> Comments?
>
> -- Kurt
>
> On Mar 31, 2008, at 2:07 PM, Kurt Zeilenga wrote:
>>
>> I think the proposed charter text concerning DIGEST-MD5 to historic/
>> replacement should be replaced with
>> something like:
>>
>>  The group has determined that DIGEST-MD5 (RFC2831) is not suitable
>> for progression on the
>>  Standards Track due to interoperability, internationalization, and
>> security concerns.  The group will
>>  deliver a technical specification for a suitable password-based
>> challenge/response replacement mechanism
>>  for Standard Track consideration.  The replacement mechanism is
>> expected to be "better than" DIGEST-MD5
>>  from a number of perspectives including interoperability,
>> internationalization, and security.  The
>>  WG is expected to strike a consensus-supported balance between the
>> many qualities desired in the
>>  replacement.  Desired qualities include (but is not limited to):
>> 	- Use of well understood and broadly-implemented algorithms
>> (e.g., HMAC, SHA1),
>> 	- Algorithm agility,
>> 	- Negotiated key hardening iteration count,
>> 	- Downgrade attack protection,
>> 	- Mutual authentication,
>> 	- Internationalized,
>> 	- Channel Binding,
>> 	- Minimal Roundtrips.
>>  The group intends to consider a number of approaches, including
>> draft-newman-auth-scam and
>>  draft-josefsson-password-auth, as input.  Additionally, the WG will
>> deliver a document summarizing
>>  its DIGEST-MD5 concerns and requesting RFC 2831 be moved to
>> Historic status.  The WG intends to use
>>  draft-melnikov-digest-to-historic for a starting point for this
>> document.
>>
>> For those wanting to know more about the WG direction here, I would
>> guess they first read Alexey's draft,
>> then read Chris's draft and the WG list discussion regarding desired
>> qualities in the replacement.
>>
>> Anyways, comments on this suggested text?  Any suggested additions/
>> deletions to the list of desired qualities?
>> (For suggested additions, please offer text for the WG to consider.)
>>
>> -- Kurt
>>