[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG Last Call: draft-ietf-sasl-scram-02

To: Simon Josefsson <simon@xxxxxxxxxxxxx>
Subject: Re: WG Last Call: draft-ietf-sasl-scram-02
From: Alexey Melnikov <alexey.melnikov@xxxxxxxxx>
Date: Fri, 31 Jul 2009 09:48:21 +0200
Cc: Peter Saint-Andre <stpeter@xxxxxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <877hxqow3d.fsf@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <ldvbpnouhy3.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <4A703964.3090203@xxxxxxxxxx> <4A71D97F.10202@xxxxxxxxxx> <4A71DEA0.7020700@xxxxxxxxx> <877hxqow3d.fsf@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915


Simon Josefsson wrote:

Alexey Melnikov <alexey.melnikov@xxxxxxxxx> writes:

Peter Saint-Andre wrote:

SECTION 4

Typo: "hashed function" => "hash function"

I think the following text is slightly ambiguous:

 The "-PLUS" suffix is used only when the server supports channel
 binding to the external channel.  In this case the server will
 advertise both, SCRAM-SHA-1 and SCRAM-SHA-1-PLUS, otherwise the
 server will advertise only SCRAM-SHA-1.  The "-PLUS" exists to allow
 negotiation of the use of channel binding.  See Section 6.

This could be read to mean that if a server does not support channel
bindings, then it will advertise only all and only SCRAM-SHA-1 (but
never, say, SCRAM-SHA-256). I think we mean that if a server does not
support channel bindings, then it will advertise only mechanisms of the
form SCRAM-SHA-length and never mechanisms of the form
SCRAM-SHA-length-PLUS (thus not forbidding support for hash functions

other than SHA-1).

Alexey and I talked about this in Stockholm. I suggest the following text:

 The "-PLUS" suffix is used only when the server supports channel
 binding to the external channel.  If the server supports channel
 binding, it will advertise both the "bare" and "plus" versions of
 whatever mechanisms it supports (e.g., if the server supports only
 SCRAM with SHA-1 then it will advertise support for both SCRAM-SHA-1
 and SCRAM-SHA-1-PLUS); if the server does not support channel
 binding, then it will advertise only the "bare" version of the
 mechanism (e.g., only SCRAM-SHA-1).  The "-PLUS" exists to allow
 negotiation of the use of channel binding.  See Section 6.

Ok, this text will be in -04.


Please reassure me that the same change isn't needed in GS2?  I don't
see any normative words above, and as far as I can tell the described
behaviour is already covered by other text in both SCRAM and GS2 anyway.

While I think Peter's text is an improvement, I don't have a strongfeeling on whether you need to add it to GS2.

References:
- WG Last Call: draft-ietf-sasl-scram-02
  - From: Tom Yu
- Re: WG Last Call: draft-ietf-sasl-scram-02
  - From: Peter Saint-Andre
- Re: WG Last Call: draft-ietf-sasl-scram-02
  - From: Peter Saint-Andre
- Re: WG Last Call: draft-ietf-sasl-scram-02
  - From: Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02
  - From: Simon Josefsson

Prev by Date: Re: WG Last Call: draft-ietf-sasl-scram-02
Previous by thread: Re: WG Last Call: draft-ietf-sasl-scram-02
Next by thread: [Editorial Errata Reported] RFC4013 (1812)
Index(es):
- Date
- Thread