[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Security

To: Simon Josefsson <simon@xxxxxxxxxxxxx>, Sam Hartman <hartmans-ietf@xxxxxxx>
Subject: RE: Security
From: Paul Leach <paulle@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 13 Aug 2008 10:41:18 -0700
Accept-language: en-US
Acceptlanguage: en-US
Cc: Kurt Zeilenga <Kurt.Zeilenga@xxxxxxxxx>, Frank Ellermann <nobody@xxxxxxxxxxxxxxxxx>, "ietf-sasl@xxxxxxx" <ietf-sasl@xxxxxxx>
In-reply-to: <87r68slwh1.fsf@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <ldvlki6dqqu.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <45F856F1.2B56@xxxxxxxxxxxxxxxxx> <19A01BBB-9BF4-4D49-8B2A-AA911B93EF7C@xxxxxxxxx> <87y732a7dc.fsf@xxxxxxxxxxxxxxxxxxx> <57EA1E30-54A9-4E13-98CC-944EE79AC633@xxxxxxxxx> <87proe6sxm.fsf@xxxxxxxxxxxxxxxxxxx> <tslej4thudg.fsf@xxxxxxx> <87r68slwh1.fsf@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
Thread-index: Acj9ZIAXdEkBmGSsTcGkp9UwDRkZ8gABrbFg
Thread-topic: Security

Lots of snips in what's quoted below, but I agree with Sam, and add that if CRADM-MD5 doesn't have channel binding capabilities, then the weaknesses he cites _can not_ be fixed by using TLS. (As recent DefCon talks have shown with other protocols.)

-----Original Message-----
From: owner-ietf-sasl@xxxxxxxxxxxx [mailto:owner-ietf-sasl@xxxxxxxxxxxx] On Behalf Of Simon Josefsson
Sent: Wednesday, August 13, 2008 9:19 AM
To: Sam Hartman
Cc: Kurt Zeilenga; Frank Ellermann; ietf-sasl@xxxxxxx
Subject: Re: Security


Sam Hartman <hartmans-ietf@xxxxxxx> writes:

>
> However for challenge/response mechanisms we can get mutual
> authentication and tie the mutual authentication to integrity
> protection and/or confidentiality.  Since cram-md5 does not support
> these capabilities either through security layers or channel binding,
>  I do not think it should be updated on the standards track.
>
We disagree on the principal here.  Merely because there are known
vulnerabilities (which can be fixed by using TLS), that shouldn't
prevent something to go on the standards track...

References:
- WG Last Call: draft-ietf-sasl-crammd5-08.txt
  - From: Tom Yu
- Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Frank Ellermann
- Re: Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Sam Hartman
- Re: Security
  - From: Simon Josefsson

Prev by Date: Re: Random data
Next by Date: Re: Security
Previous by thread: Re: Security
Next by thread: Re: Security
Index(es):
- Date
- Thread