IETF Logo Mail Archive

Re: [http-auth] I-D Action: draft-ietf-httpauth-scram-auth-09.txt

Tony Hansen <tony@att.com> Fri, 13 November 2015 16:25 UTC

Return-Path: <tony@att.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 610651AD35D for <http-auth@ietfa.amsl.com>; Fri, 13 Nov 2015 08:25:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EgPEou_Q1DX4 for <http-auth@ietfa.amsl.com>; Fri, 13 Nov 2015 08:25:27 -0800 (PST)
Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4DE91AD363 for <http-auth@ietf.org>; Fri, 13 Nov 2015 08:25:27 -0800 (PST)
Received: from pps.filterd (m0049295.ppops.net [127.0.0.1]) by m0049295.ppops.net-00191d01. (8.15.0.59/8.15.0.59) with SMTP id tADGLaLT025111 for <http-auth@ietf.org>; Fri, 13 Nov 2015 11:25:27 -0500
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049295.ppops.net-00191d01. with ESMTP id 1y1e5ds9gj-1 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <http-auth@ietf.org>; Fri, 13 Nov 2015 11:25:27 -0500
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id tADGPQC3018800 for <http-auth@ietf.org>; Fri, 13 Nov 2015 11:25:26 -0500
Received: from alpi132.aldc.att.com (alpi132.aldc.att.com [130.8.217.2]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id tADGPGXv018663 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <http-auth@ietf.org>; Fri, 13 Nov 2015 11:25:21 -0500
Received: from alpi153.aldc.att.com (alpi153.aldc.att.com [130.8.42.31]) by alpi132.aldc.att.com (RSA Interceptor) for <http-auth@ietf.org>; Fri, 13 Nov 2015 16:25:02 GMT
Received: from aldc.att.com (localhost [127.0.0.1]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id tADGP29h004898 for <http-auth@ietf.org>; Fri, 13 Nov 2015 11:25:02 -0500
Received: from mailgw1.maillennium.att.com (maillennium.att.com [135.25.114.99]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id tADGOvPO004579 for <http-auth@ietf.org>; Fri, 13 Nov 2015 11:24:57 -0500
Received: from tonys-macbook-pro.local (unknown[135.110.241.190](untrusted sender)) by maillennium.att.com (mailgw1) with ESMTP id <20151113162456gw100dvbj0e>; Fri, 13 Nov 2015 16:24:56 +0000
X-Originating-IP: [135.110.241.190]
To: Alexey Melnikov <alexey.melnikov@isode.com>, http-auth@ietf.org
References: <20151113154417.28110.68680.idtracker@ietfa.amsl.com> <5646068C.8020602@isode.com>
From: Tony Hansen <tony@att.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <56460ED6.9050304@att.com>
Date: Fri, 13 Nov 2015 11:24:54 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <5646068C.8020602@isode.com>
Content-Type: multipart/alternative; boundary="------------000508030407040808030504"
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2015-11-13_14:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1507310000 definitions=main-1511130275
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/rNMukSfFBzHC2_NMyeXROyMmSoI>
Subject: Re: [http-auth] I-D Action: draft-ietf-httpauth-scram-auth-09.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2015 16:25:34 -0000

On 11/13/15 10:49 AM, Alexey Melnikov wrote:
> On 13/11/2015 15:44, internet-drafts@ietf.org wrote:
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-httpauth-scram-auth/
>>
>> There's also a htmlized version available at:
>> https://tools.ietf.org/html/draft-ietf-httpauth-scram-auth-09
>>
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-httpauth-scram-auth-09
> I've updated the draft to address all comments from Tony and Simon.
>
> I discovered that examples were mistakenly saying "SCRAM-SHA-1", where
> they should have said "SCRAM-SHA-256". Oops.
>
> I also added a note saying that SCRAM-SHA-1 is registered, but not
> recommended. I hope this is Ok.

Thank you Alexey. It's getting much better. I agree with your direction
on not recommending SHA-1.

There is still a visible [CREF] within section 5.1:

   [[CREF1: Should some counter be added
   to make "sr" unique for each reauth?]]


Some minor grammar nits in 8 Security:

change
   ...  SCRAM
   allows to increase the iteration count over time in order to slow
   down the above attacks.  ...  An external security layer with
   strong encryption will prevent these attack.

to
   ...  SCRAM
   allows the server to increase the iteration count over time in order to slow
   down the above attacks.  ...  An external security layer with
   strong encryption will prevent these attacks.

v2.23.0 | Report a Bug | By Email