Re: Random data
Tom Yu <tlyu@MIT.EDU> Tue, 12 August 2008 15:32 UTC
Return-Path: <owner-ietf-sasl@mail.imc.org>
X-Original-To: ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com
Delivered-To: ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 713203A6A46 for <ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com>; Tue, 12 Aug 2008 08:32:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sfTPFzpl3HO3 for <ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com>; Tue, 12 Aug 2008 08:32:00 -0700 (PDT)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id 75C073A6B14 for <sasl-archive-Zoh8yoh9@ietf.org>; Tue, 12 Aug 2008 08:32:00 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m7CFM0kH041665 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 12 Aug 2008 08:22:00 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m7CFM0oj041664; Tue, 12 Aug 2008 08:22:00 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f
Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m7CFLw5V041657 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Tue, 12 Aug 2008 08:21:59 -0700 (MST) (envelope-from tlyu@MIT.EDU)
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id m7CFLuDo014631; Tue, 12 Aug 2008 11:21:56 -0400 (EDT)
Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id m7CFLtku015573 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 12 Aug 2008 11:21:55 -0400 (EDT)
Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id m7CFLt8a026305; Tue, 12 Aug 2008 11:21:55 -0400 (EDT)
To: Frank Ellermann <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@gmail.com>
Cc: ietf-sasl@imc.org
Subject: Re: Random data
References: <ldvlki6dqqu.fsf@cathode-dark-space.mit.edu> <45F8475F.729B@xyzzy.claranet.de> <8F2528F5-886C-4E8F-B334-3438BA925F43@Isode.com> <g7r2et$50e$1@ger.gmane.org> <377B7578-AC45-49D9-94BC-706CC6029609@Isode.com> <g7rl7f$kdl$1@ger.gmane.org> <ldvsktabh09.fsf@cathode-dark-space.mit.edu> <g7ru9t$hrf$1@ger.gmane.org>
From: Tom Yu <tlyu@MIT.EDU>
Date: Tue, 12 Aug 2008 11:21:55 -0400
In-Reply-To: <g7ru9t$hrf$1@ger.gmane.org> (Frank Ellermann's message of "Tue, 12 Aug 2008 14:06:13 +0200")
Message-ID: <ldvmyjii7ho.fsf@cathode-dark-space.mit.edu>
Lines: 30
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Scanned-By: MIMEDefang 2.42
Sender: owner-ietf-sasl@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-ID: <ietf-sasl.imc.org>
List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
"Frank Ellermann" <nobody@xyzzy.claranet.de> writes: > Tom Yu wrote: > >>> The right hand side of a challenge in "Message-ID format" >>> can be twisted into what I expect by an attacker, it's no >>> security feature. > >> Might this have been an aborted attempt at specifying how >> to use the challenge to transmit additional information to >> a server, such as channel binding information? Or am I >> thinking of DIGEST? > > I'd guess that RFC 2195 uses the format of a Message-ID for > a challenge, because that's what APOP also uses, and a known > (for mail and news related protocols) concept. I meant that the introduction in draft-ietf-sasl-crammd5 of a new requirement that an implementation not interpret the "string that RFC2195 required to look like a RFC822 msg-id" might have been an aborted attempt to provide a "covert channel" for signaling the use of a channel binding. Alternatively, the new requirement that the client not interpret the challenge string might be an effort to improve interoperability with servers that do not send challenge strings that strictly conform to the syntax of RFC822 or RFC2822 msg-id strings. Authors or others, please elaborate if you recall the history of this change.
- Re: Security (crammd5) Frank Ellermann
- Re: Security (was: WG Last Call: draft-ietf-sasl-… Philip Guenther
- Security (was: WG Last Call: draft-ietf-sasl-cram… Frank Ellermann
- Interoperability (was: WG Last Call: draft-ietf-s… Frank Ellermann
- Limited use (was: WG Last Call: draft-ietf-sasl-c… Frank Ellermann
- Random data (was: WG Last Call: draft-ietf-sasl-c… Frank Ellermann
- Re: cram draft bug Alexey Melnikov
- Re: cram draft bug Kurt Zeilenga
- Re: WG Last Call: draft-ietf-sasl-crammd5-08.txt Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-crammd5-08.txt Alexey Melnikov
- Re: cram draft bug Alexey Melnikov
- cram draft bug Lyndon Nerenberg
- Re: WG Last Call: draft-ietf-sasl-crammd5-08.txt Simon Josefsson
- WG Last Call: draft-ietf-sasl-crammd5-08.txt Tom Yu
- Future of SASLprep Simon Josefsson
- Re: Security Simon Josefsson
- Re: Random data Simon Josefsson
- Re: Interoperability (was: WG Last Call: draft-ie… Kurt Zeilenga
- Re: Interoperability (was: WG Last Call: draft-ie… Kurt Zeilenga
- Re: Interoperability Frank Ellermann
- Re: Interoperability Kurt Zeilenga
- Re: Interoperability Kurt Zeilenga
- Re: Interoperability Sam Hartman
- Re: Security (was: WG Last Call: draft-ietf-sasl-… Kurt Zeilenga
- Re: Limited use (was: WG Last Call: draft-ietf-sa… Kurt Zeilenga
- Re: Random data (was: WG Last Call: draft-ietf-sa… Kurt Zeilenga
- Re: Interoperability Frank Ellermann
- Re: Random data Frank Ellermann
- Re: Interoperability Frank Ellermann
- Re: Random data Kurt Zeilenga
- Re: Random data Lyndon Nerenberg
- Re: Random data Frank Ellermann
- Re: Future of SASLprep Frank Ellermann
- Re: Random data Tom Yu
- Re: Future of SASLprep Simon Josefsson
- Re: Random data Frank Ellermann
- Re: Future of SASLprep Frank Ellermann
- Re: Interoperability Sam Hartman
- Re: Random data Tom Yu
- Re: Interoperability Frank Ellermann
- Re: Security Kurt Zeilenga
- Re: Future of SASLprep Kurt Zeilenga
- Re: Security Simon Josefsson
- Re: Security Kurt Zeilenga
- Re: Security Frank Ellermann
- Re: Random data Frank Ellermann
- Re: Security Jeffrey Hutzelman
- Re: Security Kurt Zeilenga
- Re: Random data Kurt Zeilenga
- Re: Security Frank Ellermann
- Re: Random data Frank Ellermann
- Re: Security Frank Ellermann
- Re: Security Simon Josefsson
- Re: Random data Lyndon Nerenberg
- Re: Security Hallvard B Furuseth
- Re: Random data Lyndon Nerenberg
- Re: Security Simon Josefsson
- Re: Security Sam Hartman
- Re: Random data Kurt Zeilenga
- Re: Random data Frank Ellermann
- Re: Random data Frank Ellermann
- Re: Random data Simon Josefsson
- Re: Security Simon Josefsson
- Re: Security Frank Ellermann
- Re: Security Sam Hartman
- Re: Random data Kurt Zeilenga
- RE: Security Paul Leach
- Re: Security Sam Hartman
- Re: Security Frank Ellermann
- Re: Security Sam Hartman
- RE: Security Paul Leach
- Re: Random data Tony Finch
- Re: Random data Frank Ellermann
- Re: Security Frank Ellermann
- Re: Random data Kurt Zeilenga
- Re: Future of SASLprep Sam Hartman
- Re: Random data Simon Josefsson
- Re: Random data Frank Ellermann
- Re: Security Kurt Zeilenga
- Re: Security Simon Josefsson
- Re: Security Kurt Zeilenga
- Re: Security Sam Hartman