IETF Logo Mail Archive

Re: [saag] Feedback on Salted EAP draft

Sam Hartman <hartmans-ietf@mit.edu> Fri, 27 March 2015 17:34 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBCA41A88DA; Fri, 27 Mar 2015 10:34:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NHnOcAuvr3f1; Fri, 27 Mar 2015 10:34:14 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC5721A88C6; Fri, 27 Mar 2015 10:34:13 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 9DECB20684; Fri, 27 Mar 2015 13:32:26 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zLup-bTwW398; Fri, 27 Mar 2015 13:32:26 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-50-177-26-195.hsd1.ma.comcast.net [50.177.26.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Fri, 27 Mar 2015 13:32:26 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 807B788A7D; Fri, 27 Mar 2015 13:34:12 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
References: <CAHbuEH5u=Q_h4L4yNdrpPw1J3fAsr1MfEMBV84TgdnHVWcxX0w@mail.gmail.com> <CAHbuEH4--TP0duM-8GSaR4RaUG5DoL=QtnCFE3shHbaUNPvwVg@mail.gmail.com>
Date: Fri, 27 Mar 2015 13:34:12 -0400
In-Reply-To: <CAHbuEH4--TP0duM-8GSaR4RaUG5DoL=QtnCFE3shHbaUNPvwVg@mail.gmail.com> (Kathleen Moriarty's message of "Fri, 27 Mar 2015 13:25:12 -0400")
Message-ID: <tsloane9wff.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/I-A8-QhW8-_Ud48YP2fkQE90oHU>
Cc: "saag@ietf.org" <saag@ietf.org>, emu@ietf.org
Subject: Re: [saag] Feedback on Salted EAP draft
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2015 17:34:15 -0000

>>>>> "Kathleen" == Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> writes:

    Kathleen>    I meant to send the link to Dan's draft:
    Kathleen> https://tools.ietf.org/html/draft-harkins-salted-eap-pwd-01
    Kathleen> Long week...

I have briefly reviewed the goals behind this proposal and a sketch of
the details but have not done a technical review of the proposal.

The underlying goal is important and valuable.
This issue is the same issue that was behind my response to your AD
review of the oauth dynamic registration draft.
The more we can do to make it possible to use  deployed password
databases with more modern security, the more we will be able to employ
that modern security.

However, take careful note of section 5 of the draft.

Assuming that  you can get positive technical reviews of the proposal,
this draft seems to solve an important problem that would be valuable to
solve in the EAP community.

v2.23.0 | Report a Bug | By Email