[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security

To: Kurt Zeilenga <Kurt.Zeilenga@xxxxxxxxx>
Subject: Re: Security
From: Simon Josefsson <simon@xxxxxxxxxxxxx>
Date: Wed, 13 Aug 2008 02:42:09 +0200
Cc: Frank Ellermann <nobody@xxxxxxxxxxxxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <F417C7F5-4066-4E20-B9EF-F6BEA1DA68A0@xxxxxxxxx> (Kurt Zeilenga's message of "Tue, 12 Aug 2008 11:31:33 -0700")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <ldvlki6dqqu.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <45F856F1.2B56@xxxxxxxxxxxxxxxxx> <19A01BBB-9BF4-4D49-8B2A-AA911B93EF7C@xxxxxxxxx> <87y732a7dc.fsf@xxxxxxxxxxxxxxxxxxx> <57EA1E30-54A9-4E13-98CC-944EE79AC633@xxxxxxxxx> <87proe6sxm.fsf@xxxxxxxxxxxxxxxxxxx> <F417C7F5-4066-4E20-B9EF-F6BEA1DA68A0@xxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux)

Kurt Zeilenga <Kurt.Zeilenga@xxxxxxxxx> writes:

>>>> None of the arguments made in the
>>>> document would still stand against that construct (I think).  What
>>>> is
>>>> puzzling is that the document already appear to strongly suggest use
>>>> of
>>>> TLS and UTF-8 and SASLprep, so I think we have already solved the
>>>> security and interoperability problem inherent in the old CRAM-MD5
>>>> specification.
>>>
>>> I don't believe the SHOULDs are adequate to ensure independently
>>> developed interoperability.
>>
>> SHOULD has worked fine for PLAIN, so I disagree.
>
> It works fine because of PLAIN's design.  The party, the server, is
> preparing both the presented and stored strings.   In CRAM-MD5, two
> parties need to agree on the preparation on what preparation to use
> for things to work properly.

Ah, I understand your objection now.

Given that RFC 2195 appears to be ASCII only, I don't see a problem with
extending it to UTF-8 in a revised version and mandate that using a
SHOULD or MUST though.  If some client/server uses some other mechanism
to send non-ASCII, they weren't following the RFC anyway.

/Simon

Follow-Ups:
- Re: Security
  - From: Hallvard B Furuseth

References:
- WG Last Call: draft-ietf-sasl-crammd5-08.txt
  - From: Tom Yu
- Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Frank Ellermann
- Re: Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Kurt Zeilenga

Prev by Date: Re: Security
Next by Date: Re: Random data
Previous by thread: Re: Security
Next by thread: Re: Security
Index(es):
- Date
- Thread