[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG Last Call: draft-ietf-sasl-scram-02

To: Simon Josefsson <simon@xxxxxxxxxxxxx>
Subject: Re: WG Last Call: draft-ietf-sasl-scram-02
From: Peter Saint-Andre <stpeter@xxxxxxxxxx>
Date: Fri, 31 Jul 2009 19:14:48 -0400
Cc: Alexey Melnikov <alexey.melnikov@xxxxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <877hxqow3d.fsf@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: url=http://www.saint-andre.com/me/stpeter.asc
References: <ldvbpnouhy3.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <4A703964.3090203@xxxxxxxxxx> <4A71D97F.10202@xxxxxxxxxx> <4A71DEA0.7020700@xxxxxxxxx> <877hxqow3d.fsf@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.22 (Macintosh/20090605)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/30/09 2:37 PM, Simon Josefsson wrote:
> Alexey Melnikov <alexey.melnikov@xxxxxxxxx> writes:
> 
>> Peter Saint-Andre wrote:
>>
>>>> SECTION 4
>>>>
>>>> Typo: "hashed function" => "hash function"
>>>>
>>>> I think the following text is slightly ambiguous:
>>>>
>>>>   The "-PLUS" suffix is used only when the server supports channel
>>>>   binding to the external channel.  In this case the server will
>>>>   advertise both, SCRAM-SHA-1 and SCRAM-SHA-1-PLUS, otherwise the
>>>>   server will advertise only SCRAM-SHA-1.  The "-PLUS" exists to allow
>>>>   negotiation of the use of channel binding.  See Section 6.
>>>>
>>>> This could be read to mean that if a server does not support channel
>>>> bindings, then it will advertise only all and only SCRAM-SHA-1 (but
>>>> never, say, SCRAM-SHA-256). I think we mean that if a server does not
>>>> support channel bindings, then it will advertise only mechanisms of the
>>>> form SCRAM-SHA-length and never mechanisms of the form
>>>> SCRAM-SHA-length-PLUS (thus not forbidding support for hash functions
>>>> other than SHA-1).
>>>>    
>>>>
>>> Alexey and I talked about this in Stockholm. I suggest the following text:
>>>
>>>   The "-PLUS" suffix is used only when the server supports channel
>>>   binding to the external channel.  If the server supports channel
>>>   binding, it will advertise both the "bare" and "plus" versions of
>>>   whatever mechanisms it supports (e.g., if the server supports only
>>>   SCRAM with SHA-1 then it will advertise support for both SCRAM-SHA-1
>>>   and SCRAM-SHA-1-PLUS); if the server does not support channel
>>>   binding, then it will advertise only the "bare" version of the
>>>   mechanism (e.g., only SCRAM-SHA-1).  The "-PLUS" exists to allow
>>>   negotiation of the use of channel binding.  See Section 6.
>>>  
>>>
>> Ok, this text will be in -04.
> 
> Please reassure me that the same change isn't needed in GS2?  I don't
> see any normative words above, and as far as I can tell the described
> behaviour is already covered by other text in both SCRAM and GS2 anyway.

Do you think that the former text was not ambiguous?

Peter

- --
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkpzeugACgkQNL8k5A2w/vyg8wCgrEuu8HQMk5ZAUBF3dPMedZST
JcMAn0+QED2p/yk2/7pMpU0pMGvOgoAE
=FP8w
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: WG Last Call: draft-ietf-sasl-scram-02
  - From: Simon Josefsson

References:
- WG Last Call: draft-ietf-sasl-scram-02
  - From: Tom Yu
- Re: WG Last Call: draft-ietf-sasl-scram-02
  - From: Peter Saint-Andre
- Re: WG Last Call: draft-ietf-sasl-scram-02
  - From: Peter Saint-Andre
- Re: WG Last Call: draft-ietf-sasl-scram-02
  - From: Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02
  - From: Simon Josefsson

Prev by Date: I-D Action:draft-ietf-sasl-scram-04.txt
Next by Date: Re: WG Last Call: draft-ietf-sasl-scram-02
Previous by thread: Re: WG Last Call: draft-ietf-sasl-scram-02
Next by thread: Re: WG Last Call: draft-ietf-sasl-scram-02
Index(es):
- Date
- Thread