[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG Last Call: draft-ietf-sasl-scram-02

To: Chris Newman <Chris.Newman@xxxxxxx>, ietf-sasl@xxxxxxx
Subject: Re: WG Last Call: draft-ietf-sasl-scram-02
From: Jeffrey Hutzelman <jhutz@xxxxxxx>
Date: Mon, 27 Jul 2009 10:48:46 -0400
Cc: jhutz@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <ldvbpnouhy3.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <>
Sender: owner-ietf-sasl@xxxxxxxxxxxx

--On Monday, July 27, 2009 03:17:20 PM +0200 Chris Newman<Chris.Newman@xxxxxxx> wrote:

Section 10:

  SASL Mechanisms registry.  IANA is requested to prevent future
  registrations of SASL mechanisms starting with SCRAM- without
  consulting the SASL mailing list <ietf-sasl@xxxxxxx> first.


This at least needs to designate a successor review process if
ietf-sasl@xxxxxxx goes away.

I don't think it does. There's plenty of precedent for setting up amailing list as the reviewer; if the list goes away, the IESG can designatea new reviewer.

 I'd also prefer the document enumerate
principles for when to allow registration.  Personally, I consider
undesirable to have the family be large.  I'd prefer it contain only
SCRAM-SHA-1, and in the future SCRAM-SHA-3 (with the -PLUS variants).

I agree the growth rate should be small, and mostly related to theintroduction of successor hashes.

I intend to implement it excluding section 8 and SASLprep.  I will
attempt to implement channel bindings, but it has gotten fairly complex
particularly with all this stuff about different types of channel
bindings.

If you ignore the discussions and look at the result, it's not thatcomplex. Assuming CB is being used, the client tells the server what typeto use. For now the only type is TLS. If you're a server and seesomething else, you can reject it out of hand. If you're a client, have aTLS channel, and succesfully negotiate the use of channel bindingsaccording to the spec, you can assume the server will support TLS.

I am unsure how difficult it will be to add channel binding
support to NSS. In the event I succeed with channel bindings, but
subsequently experience interoperability problems with channel bindings,
I will remove all channel binding support from my implementation.

What this tells me is that you don't consider this an important feature.That's unfortunate, because I consider security to be a very importantfeature, and if implementors won't commit to implementing a securityfeature, we have no chance of getting operators and users to actually useit.


-- Jeff

Follow-Ups:
- Re: WG Last Call: draft-ietf-sasl-scram-02
  - From: Chris Newman
- Re: WG Last Call: draft-ietf-sasl-scram-02
  - From: Simon Josefsson

References:
- WG Last Call: draft-ietf-sasl-scram-02
  - From: Tom Yu
- Re: WG Last Call: draft-ietf-sasl-scram-02
  - From: Chris Newman

Prev by Date: Re: WG Last Call: draft-ietf-sasl-gs2-14
Next by Date: Re: WG Last Call: draft-ietf-sasl-scram-02
Previous by thread: Re: WG Last Call: draft-ietf-sasl-scram-02
Next by thread: Re: WG Last Call: draft-ietf-sasl-scram-02
Index(es):
- Date
- Thread