[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security

To: "Frank Ellermann" <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@xxxxxxxxx>
Subject: Re: Security
From: Sam Hartman <hartmans-ietf@xxxxxxx>
Date: Wed, 13 Aug 2008 13:55:40 -0400
Cc: ietf-sasl@xxxxxxx
In-reply-to: <g7v27j$8ti$1@xxxxxxxxxxxxx> (Frank Ellermann's message of "Wed, 13 Aug 2008 18:31:38 +0200")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <ldvlki6dqqu.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <45F856F1.2B56@xxxxxxxxxxxxxxxxx> <19A01BBB-9BF4-4D49-8B2A-AA911B93EF7C@xxxxxxxxx> <87y732a7dc.fsf@xxxxxxxxxxxxxxxxxxx> <57EA1E30-54A9-4E13-98CC-944EE79AC633@xxxxxxxxx> <87proe6sxm.fsf@xxxxxxxxxxxxxxxxxxx> <tslej4thudg.fsf@xxxxxxx> <g7v27j$8ti$1@xxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)

>>>>> "Frank" == Frank Ellermann <nobody@xxxxxxxxxxxxxxxxx> writes:

    Frank> Sam Hartman wrote:
 
    >> However for challenge/response mechanisms we can get mutual
    >> authentication and tie the mutual authentication to integrity
    >> protection and/or confidentiality.

    Frank> As far as DIGEST-MD5 was an attempt to offer these features
    Frank> folks here apparently decided to give up on it, because
    Frank> there was no big demand for these features, and
    Frank> interoperability was lousy.  Maybe this is a hen and egg
    Frank> problem, but whatever the DIGEST-MD5 problems might be,
    Frank> they're no bugs in CRAM-MD5.

And decided to pursue channel binding rather than security layers.
Personally I'm happy with either channel binding or security layers, but think one is required.

    >> I do believe that cram-md5's mechanisms for converting a
    >> password into a key are weaker than is current accepted
    >> security practice.

    Frank> Then propose something better than HMAC, 

My problem is not with HMAC, but with the lack of PBKDF2.  Note that I
am acting on my proposals by contributing to scram.

Follow-Ups:
- RE: Security
  - From: Paul Leach

References:
- WG Last Call: draft-ietf-sasl-crammd5-08.txt
  - From: Tom Yu
- Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Frank Ellermann
- Re: Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Sam Hartman
- Re: Security
  - From: Frank Ellermann

Prev by Date: RE: Security
Next by Date: Re: Security
Previous by thread: Re: Security
Next by thread: RE: Security
Index(es):
- Date
- Thread