Re: [kitten] AD sponsoring draft-hansen-scram-sha256

Peter Saint-Andre - &yet <peter@andyet.net> Fri, 13 February 2015 20:10 UTC

Return-Path: <peter@andyet.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74A541A0118 for <kitten@ietfa.amsl.com>; Fri, 13 Feb 2015 12:10:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zcsgPZ2sehZL for <kitten@ietfa.amsl.com>; Fri, 13 Feb 2015 12:10:17 -0800 (PST)
Received: from mail-ie0-f174.google.com (mail-ie0-f174.google.com [209.85.223.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CD341A0270 for <kitten@ietf.org>; Fri, 13 Feb 2015 12:10:05 -0800 (PST)
Received: by iecar1 with SMTP id ar1so22161482iec.11 for <kitten@ietf.org>; Fri, 13 Feb 2015 12:10:04 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=3iuP85OcLIjcBbDQ6u/YdZCFuLaWKN6Qb9if4Gb5V2U=; b=beg0kXsOLXYelb3glxfDqUNaYuF2m6X5rdvcGiT2AYitl005krGd7pGwBO9WuKpdg4 UbGOkgMcMdQD/mX5UqthDO8ErQbuNqW5gNHZ8ZxZX4xrXB9UGwrkrh/nLfaiejypQE3L 6hpgx1z1Wfr3CcJYu++LNVPAICskgtIp8CBBNubaauWLDd7r7LiocgaO08OOMTva5+Zz ShUxd9fb6QjKf3VH+dW0I1+rfDjJLw+ppZUvrgyW5KmuuKMjo/4Y4eAyqt3ZchgSK1d/ t41s3qc1iQlGz2bWBRUalDaXTeJTai8tpU1NTPo+WqbkvlCGjLJxcYw45swIz1rwWFYx 0brQ==
X-Gm-Message-State: ALoCoQmBe4XpBVFA3QA1llh8if11DddIaMqRi5H7MBT2AVq1mrHZBZ+N6Y/MJt2q5UxRyT1G52rq
X-Received: by 10.43.66.9 with SMTP id xo9mr16483650icb.67.1423858204723; Fri, 13 Feb 2015 12:10:04 -0800 (PST)
Received: from aither.local (c-73-34-202-214.hsd1.co.comcast.net. [73.34.202.214]) by mx.google.com with ESMTPSA id k12sm5015910iok.35.2015.02.13.12.10.03 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 13 Feb 2015 12:10:04 -0800 (PST)
Message-ID: <54DE5A0F.6090703@andyet.net>
Date: Fri, 13 Feb 2015 13:09:51 -0700
From: Peter Saint-Andre - &yet <peter@andyet.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Tony Hansen <tony@att.com>, "kitten@ietf.org" <kitten@ietf.org>
References: <54DC00D0.2050900@cs.tcd.ie> <54DE1A1C.6020908@andyet.net> <54DE47C6.4060609@att.com>
In-Reply-To: <54DE47C6.4060609@att.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/eh-gz6OrzfM5c46LqiXEh2zZkIw>
Subject: Re: [kitten] AD sponsoring draft-hansen-scram-sha256
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Feb 2015 20:10:23 -0000

Hi Tony, that all looks good!

On 2/13/15 11:51 AM, Tony Hansen wrote:
> Thanks Peter!
>
> More below.
>
> On 2/13/15 10:37 AM, Peter Saint-Andre - &yet wrote:
>> On 2/11/15 6:24 PM, Stephen Farrell wrote:
>>>
>>> Hiya,
>>>
>>> I've been asked to AD sponsor draft-hansen-scram-sha256 [1] as it's
>>> needed for some work in http-auth but doesn't quite fit with any
>>> current WG. I plan to start an IETF LC for that shortly, but please
>>> do let me know if there are any issues.
>>>
>>> This was previously discussed on the kitten WG list, so (with
>>> the WG chairs' permission) I'd ask that you send any comments
>>> there if you've any before I start the IETF LC. (Reply-to is
>>> set to the kitten WG list.)
>>
>> This is a helpful document. Herewith a few comments.
>>
>> §2
>>
>>    For the SCRAM-SHA-256/SCRAM-SHA-256-PLUS SASL mechanisms, servers
>>    SHOULD announce a hash iteration-count of at least 4096.
>>
>> Because (per RFC 5082) it is mandatory for the server to announce a
>> hash iteration-count, I'm wondering if that could be better expressed as:
>>
>>    For the SCRAM-SHA-256 and SCRAM-SHA-256-PLUS SASL mechanisms, the
>>    hash iteration-count announced by a server SHOULD be at least 4096.
>
> ok
>
>> §3
>>
>> It might be helpful here (or in the introduction) to describe why we
>> need these mechanisms, i.e., presumably they might have stronger
>> security properties or greater predicted longevity than the SCRAM
>> mechanisms based on SHA-1.
>
> I'll add the following to the introduction (gladly re-using your suggest
> words):
>
>      SHA-256 has stronger security properties than SHA-1, and it is
> expected that SCRAM
>      mechanisms based on it will have greater predicted longevity than
> the SCRAM
>      mechanisms based on SHA-1.
>
> I don't think it's necessary to mention that the HTTP SCRAM document
> will probably reference it.
>
> Seem okay?
>
>> Nits:
>>
>> §1
>>
>> mechanism are defined -> mechanisms are defined
>
> ack
>
>> §4
>>
>> I doubt that we need RFC 2119 language in the form.
>
> While I might agree, that text is copied directly from RFC 5802. I don't
> feel strongly enough about the use of mustard there to worry about it.
>
>      Tony