[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security

To: Simon Josefsson <simon@xxxxxxxxxxxxx>
Subject: Re: Security
From: Hallvard B Furuseth <h.b.furuseth@xxxxxxxxxxx>
Date: Wed, 13 Aug 2008 07:12:09 +0200
Cc: Kurt Zeilenga <Kurt.Zeilenga@xxxxxxxxx>, Frank Ellermann <nobody@xxxxxxxxxxxxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <87tzdp690e.fsf@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <ldvlki6dqqu.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <45F856F1.2B56@xxxxxxxxxxxxxxxxx> <19A01BBB-9BF4-4D49-8B2A-AA911B93EF7C@xxxxxxxxx> <87y732a7dc.fsf@xxxxxxxxxxxxxxxxxxx> <57EA1E30-54A9-4E13-98CC-944EE79AC633@xxxxxxxxx> <87proe6sxm.fsf@xxxxxxxxxxxxxxxxxxx> <F417C7F5-4066-4E20-B9EF-F6BEA1DA68A0@xxxxxxxxx> <87tzdp690e.fsf@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx

Simon Josefsson writes:
> Kurt Zeilenga <Kurt.Zeilenga@xxxxxxxxx> writes:
>>> SHOULD has worked fine for PLAIN, so I disagree.
>>
>> It works fine because of PLAIN's design.  The party, the server, is
>> preparing both the presented and stored strings.   In CRAM-MD5, two
>> parties need to agree on the preparation on what preparation to use
>> for things to work properly.
>
> Ah, I understand your objection now.
>
> Given that RFC 2195 appears to be ASCII only, I don't see a problem with
> extending it to UTF-8 in a revised version and mandate that using a
> SHOULD or MUST though.

It doesn't say the password is ASCII, only that the digest being
sent is.  Authentication breaks if the password is UTF-8, one
protocol peer SASLpreps it, and the other does not.

OTOH it also breaks if the password is Latin-1, one peer translates to
UTF-8, and the other does not.  "MUST use UTF8/SASLprep" in practice
implies "client and whoever creates server secret MUST know which
character encoding is in use, so it can translate to UTF-8 if needed".
Simple solutions to that would be to reject 8-bit input or make it the
user's problem and expect UTF-8 input, of course.

-- 
Hallvard

Follow-Ups:
- Re: Security
  - From: Simon Josefsson

References:
- WG Last Call: draft-ietf-sasl-crammd5-08.txt
  - From: Tom Yu
- Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Frank Ellermann
- Re: Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson

Prev by Date: Re: Random data
Next by Date: Re: Random data
Previous by thread: Re: Security
Next by thread: Re: Security
Index(es):
- Date
- Thread