[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security

To: Simon Josefsson <simon@xxxxxxxxxxxxx>
Subject: Re: Security
From: Sam Hartman <hartmans-ietf@xxxxxxx>
Date: Fri, 05 Sep 2008 20:26:01 -0400
Cc: Kurt Zeilenga <Kurt.Zeilenga@xxxxxxxxx>, Frank Ellermann <nobody@xxxxxxxxxxxxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <87iqtnmxga.fsf@xxxxxxxxxxxxxxxxxxx> (Simon Josefsson's message of "Tue, 26 Aug 2008 20:40:37 +0200")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <ldvlki6dqqu.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <45F856F1.2B56@xxxxxxxxxxxxxxxxx> <19A01BBB-9BF4-4D49-8B2A-AA911B93EF7C@xxxxxxxxx> <87y732a7dc.fsf@xxxxxxxxxxxxxxxxxxx> <57EA1E30-54A9-4E13-98CC-944EE79AC633@xxxxxxxxx> <87proe6sxm.fsf@xxxxxxxxxxxxxxxxxxx> <tslej4thudg.fsf@xxxxxxx> <87r68slwh1.fsf@xxxxxxxxxxxxxxxxxxx> <893CC95E-F3C5-44C9-9217-73D8705996F5@xxxxxxxxx> <87iqtnmxga.fsf@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)

>>>>> "Simon" == Simon Josefsson <simon@xxxxxxxxxxxxx> writes:

    Simon> A more interesting discussion seems to be: Assuming the
    Simon> document recommends CRAM-MD5+TLS sufficiently well (similar
    Simon> to the wording in the PLAIN document), would such a
    Simon> document be acceptable to put on the Standards Track and
    Simon> with the applicability of COMMON?

    Simon> If that is not the WG consensus, it would be clearer to
    Simon> abandon the current CRAM-MD5 specification and produce a
    Simon> "Moving CRAM-MD5 to Historic" document.

I don't see this point at all.
I actually think publishing the current cram-md5 as informational with limited recommended deployment would be a good step forward.
I certainly prefer abandoning cram-md5 to publishing on the standards track.

    Simon> However, I believe CRAM-MD5+TLS, with warnings about
    Simon> channel binding vulnerabilities, is valuable to have on the
    Simon> standards track until there is other solutions that we can
    Simon> recommend instead (i.e., GS2+SCRAM).

I disagree as I've stated previously.

References:
- WG Last Call: draft-ietf-sasl-crammd5-08.txt
  - From: Tom Yu
- Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Frank Ellermann
- Re: Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Sam Hartman
- Re: Security
  - From: Simon Josefsson
- Re: Security
  - From: Kurt Zeilenga
- Re: Security
  - From: Simon Josefsson

Prev by Date: Proposed SASL WG charter description
Previous by thread: Re: Security
Next by thread: Re: Security
Index(es):
- Date
- Thread