[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security

To: ietf-sasl@xxxxxxx
Subject: Re: Security
From: "Frank Ellermann" <nobody@xxxxxxxxxxxxxxxxx>
Date: Tue, 12 Aug 2008 21:54:55 +0200
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Organization: <http://purl.net/xyzzy>
References: <ldvlki6dqqu.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <45F856F1.2B56@xxxxxxxxxxxxxxxxx> <19A01BBB-9BF4-4D49-8B2A-AA911B93EF7C@xxxxxxxxx> <87y732a7dc.fsf@xxxxxxxxxxxxxxxxxxx> <57EA1E30-54A9-4E13-98CC-944EE79AC633@xxxxxxxxx> <87proe6sxm.fsf@xxxxxxxxxxxxxxxxxxx> <F417C7F5-4066-4E20-B9EF-F6BEA1DA68A0@xxxxxxxxx>
Reply-to: "Frank Ellermann" <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@xxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx

Kurt Zeilenga wrote:

  [TLS]
>> That places restrictions on specifications, not implementations,
>> which is somewhat weird, but CRAM-MD5 could do the same.  That
>> is what I propose to do.

> I personally think such a change would be good.   I feel that TLS
> recommendations to protect CRAM-MD5 ought to be the same as those
> we made for the TLS protection of PLAIN.

Could work.  What about existing protocols, has this to be limited
to future specifications ?  Normally we say "SHOULD" when we mean
"old stuff has a good excuse, its old".  IIRC there are a two old
protocols with a mandatory CRAM-MD5, one of them (on demand relay)
won't be updated anytime soon, if ever.

  [i18n]
>> SHOULD has worked fine for PLAIN, so I disagree.
> 
> It works fine because of PLAIN's design.  The party, the server, is  
> preparing both the presented and stored strings.   In CRAM-MD5, two  
> parties need to agree on the preparation on what preparation to use  
> for things to work properly.

I don't get this point.  A new user creating an account picks a
free userid, and a password.  The details can vary, one way is
online in a Web form.  If the server can note these credentials
for PLAIN, it can also note it for CRAM-MD5 or other mechanisms,
in any required format(s), even the somewhat odd "APR1" format.

In what way is the design of PLAIN different ?  Like CRAM-MD5 it
sends the userid as plain text.  

 Frank

Follow-Ups:
- Re: Security
  - From: Kurt Zeilenga
- Re: Security
  - From: Jeffrey Hutzelman

References:
- WG Last Call: draft-ietf-sasl-crammd5-08.txt
  - From: Tom Yu
- Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Frank Ellermann
- Re: Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Kurt Zeilenga

Prev by Date: Re: Security
Next by Date: Re: Random data
Previous by thread: Re: Security
Next by thread: Re: Security
Index(es):
- Date
- Thread