Re: [http-auth] AD review of draft-ietf-httpauth-scram-auth-11
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sat, 28 November 2015 13:07 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F6921AD241 for <http-auth@ietfa.amsl.com>; Sat, 28 Nov 2015 05:07:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lspl50wVwzW4 for <http-auth@ietfa.amsl.com>; Sat, 28 Nov 2015 05:07:56 -0800 (PST)
Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BACA31AD218 for <http-auth@ietf.org>; Sat, 28 Nov 2015 05:07:56 -0800 (PST)
Received: by qgcc31 with SMTP id c31so88268933qgc.3 for <http-auth@ietf.org>; Sat, 28 Nov 2015 05:07:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FWyUqrJNN6d0E6A2ZqpwC6LWkahBlEYdh4HFCkG7Xjg=; b=tEQS0tEH8F3Pu/uIAZ/Dh5WYs7EJhT7z/d/zp9/WHnuDdQMipbXydHTl4XMWVmBZ8T wCylbFIczoeJ7KS9Bh1IBB6WA3isEJdsji5qhjq0jZCN2WYPiJjOtFTmxG8jT/3z1AWa WyC/Ey79sWTtUZByYm5QmjdKo1KaKURqwuGGYn73Gw16/nzzlJJ/Ag9pfDWHCrQrekdR j5Ka/mlraWqUCVHUMaIXO+Na0rzMzO8Vqk3bJEoAds0WcRBvlrs5unFNyW1MyeEsrG9B h3HS19fPnoKa1lNudM6bbfXnJadqDd4NCdHVaqV2sWGpyGF9o50rjZaV6p8dQYJrb3jK 5N6A==
X-Received: by 10.140.30.101 with SMTP id c92mr9393870qgc.14.1448716075804; Sat, 28 Nov 2015 05:07:55 -0800 (PST)
Received: from [172.20.3.0] ([65.200.157.66]) by smtp.gmail.com with ESMTPSA id e184sm11288131qkb.40.2015.11.28.05.07.54 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 28 Nov 2015 05:07:54 -0800 (PST)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Google-Original-From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (12H143)
In-Reply-To: <E7B9E401-C90E-4FDE-8CBD-314B8ABED419@isode.com>
Date: Sat, 28 Nov 2015 08:07:53 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <4CB29550-A4A1-4542-8629-E717920E6D68@gmail.com>
References: <CAHbuEH5LqnaYLUvu5qutjN4TbzjGKkmg65B9VCnN0mjDKt=F-Q@mail.gmail.com> <E7B9E401-C90E-4FDE-8CBD-314B8ABED419@isode.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/pUiKObtEwhDJR3EA-BJFmNiSFDg>
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] AD review of draft-ietf-httpauth-scram-auth-11
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Nov 2015 13:07:58 -0000
Hi Alexey, Thanks for your quick response! Inline. Sent from my iPhone > On Nov 28, 2015, at 8:02 AM, Alexey Melnikov <alexey.melnikov@isode.com> wrote: > > Hi Kathleen, > Thank you for your review comments. > >> On 27 Nov 2015, at 23:55, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote: >> >> Hi Alexey, >> >> Thank you for your work on this draft! >> >> Question/Request: >> >> I'd lie to see more text in the security considerations section on >> SHA-1, limiting it's use and warning against it unless necessary. The >> Section 5, note on why SCRAM-SHA-1 is registered is helpful, but I >> don't think it's enough. It looks like this comment (recommendation >> to not support SHA-1) came up in WGLC as well. Additional text in the >> security considerations on why it should not be used and that it is >> here only in support of a couple of specific use cases will help. I'm >> sure this will come up again in IETF last call unless addressed. > > Ok. > >> Nits: >> Abstract: >> Up to you, but removing the word secure might be good since the only >> thing secure about it is the session encryption protecting the >> authentication: >> >> Change from: >> >> The secure authentication mechanism most widely deployed and used by >> Internet application protocols is the transmission of clear-text >> passwords over a channel protected by Transport Layer Security (TLS). >> >> To: >> >> The authentication mechanism most widely deployed and used by >> Internet application protocols is the transmission of clear-text >> passwords over a channel protected by Transport Layer Security (TLS). > > Yes, I will change. > >> In the abstract, digest method has it's issues too that are well >> documented in the RFC published by this WG. I'll let that go though. > > SCRAM was created in response to Digest, so some text is appropriate. Yes, I thought it sounded to rosie for digest in the abstract. > >> 2. In a few places, a sentence ends, but there is a space before the >> ending period. I'm sure the RFC editor would catch this, but it would >> be better to resolve before it gets that far. Her is an example from >> section 5: >> >> * a header consisting of a flag indicating whether channel >> binding is supported-but-not-used, not supported, or used . > > Probably because of comments in XML. I think these would be stripped by RFC Editor. Sounds good. > >> 3. Security Considerations >> >> The first sentence should be a bit more explicit on what "security >> layer" is being referred to, although the example helps. > > Right, this is a SASL term. > >> How about a >> change from: >> "If the authentication exchange is performed without a strong security >> layer (such as TLS with data confidentiality)," >> To: "If the authentication exchange is performed without strong >> session encryption (such as TLS with data confidentiality), " > > Yes, something like this works. Thanks. > >> 4. Security Considerations: >> It's safe to remove the last instance of the word "negotiation" in the >> following sentence: >> "SCRAM does not negotiate a hash function to use. Hash function >> negotiation is left to the HTTP authentication mechanism negotiation." > > This is saying that SCRAM itself doesn't negotiate a hash function to use, each SCRAM mechanism is tied to a specific hash function, as the hash function is encoded in the HTTP authentication mechanism name. I don't have a strong preference, but I think your suggested version is slightly less clear on that. Either way, I expect RFC Editor to pick up on this! It's just a nit, so either way is fine. Thank you, Kathleen > > Best Regards, > Alexey >
- [http-auth] AD review of draft-ietf-httpauth-scra… Kathleen Moriarty
- Re: [http-auth] AD review of draft-ietf-httpauth-… Alexey Melnikov
- Re: [http-auth] AD review of draft-ietf-httpauth-… Kathleen Moriarty