Re: I-D ACTION:draft-ietf-sasl-crammd5-to-historic-00.txt
Simon Josefsson <simon@josefsson.org> Tue, 25 November 2008 23:01 UTC
Return-Path: <owner-ietf-sasl@mail.imc.org>
X-Original-To: ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com
Delivered-To: ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4CB8A3A69E7 for <ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com>; Tue, 25 Nov 2008 15:01:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.406
X-Spam-Level:
X-Spam-Status: No, score=-2.406 tagged_above=-999 required=5 tests=[AWL=0.193, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W5DKJQSIrgCC for <ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com>; Tue, 25 Nov 2008 15:01:43 -0800 (PST)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 039713A699F for <sasl-archive-Zoh8yoh9@ietf.org>; Tue, 25 Nov 2008 15:01:42 -0800 (PST)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id mAPMhPrr090078 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 25 Nov 2008 15:43:25 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id mAPMhPr0090077; Tue, 25 Nov 2008 15:43:25 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id mAPMhN7M090068 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Tue, 25 Nov 2008 15:43:24 -0700 (MST) (envelope-from simon@josefsson.org)
Received: from c80-216-27-189.bredband.comhem.se ([80.216.27.189] helo=mocca.josefsson.org) by yxa-v.extundo.com with esmtpsa (TLS-1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.63) (envelope-from <simon@josefsson.org>) id 1L56cq-0000BL-1Q; Tue, 25 Nov 2008 23:43:20 +0100
From: Simon Josefsson <simon@josefsson.org>
To: John C Klensin <john-ietf@jck.com>
Cc: Kurt.Zeilenga@isode.com, ietf-sasl@imc.org, pasi.eronen@nokia.com
Subject: Re: I-D ACTION:draft-ietf-sasl-crammd5-to-historic-00.txt
References: <20081124223001.B88703A682C@core3.amsl.com> <7928C65B3EEAEB90C35C6853@p3.int.jck.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:081125:pasi.eronen@nokia.com::kZWKc0Gk9a2hqln6:2Lab
X-Hashcash: 1:22:081125:john-ietf@jck.com::J5NXSItRerHfvr28:6HM1
X-Hashcash: 1:22:081125:ietf-sasl@imc.org::iDiD6V9HARS/r0V8:8Yc8
X-Hashcash: 1:22:081125:kurt.zeilenga@isode.com::SQroV9NCLCMVGfcw:cb4A
Date: Tue, 25 Nov 2008 23:43:19 +0100
In-Reply-To: <7928C65B3EEAEB90C35C6853@p3.int.jck.com> (John C. Klensin's message of "Tue, 25 Nov 2008 11:06:28 -0500")
Message-ID: <87zljno29k.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.60 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-sasl@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-ID: <ietf-sasl.imc.org>
List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
John C Klensin <john-ietf@jck.com> writes: > Folks, > > While I have no particular attachment to CRAM-MD5 -- Paul, > Randy, and I created it as a service to the community -- I > suggest that you consider this active _very_ carefully. The WG has discussed this particular issue for several IETF meetings now. It seems difficult to come to consensus around the issue. > Given all of that, I wonder if denouncing CRAM-MD5 as strongly > as this document seems to is really appropriate. Would it not > be a lot more sensible and realistic to: > > (i) Publish an updated version of 2195 that reflects at > more length on the security issues and warnings about > them? I note that, given the requirement for two > interoperable implementations, this document could be > published at Draft Standard and that there is _no_ bar > to doing so under the procedures specified in RFC 2026. I would support this path, and given the deployment believe it makes some sense to do this, but others (Sam?) have said they would not support a backwards compatible CRAM-MD5 on the standards track. > (ii) Publish SCRAM and see if it gets any traction in > practice. +1. /Simon
- I-D ACTION:draft-ietf-sasl-crammd5-to-historic-00… Internet-Drafts
- Re: I-D ACTION:draft-ietf-sasl-crammd5-to-histori… John C Klensin
- Re: I-D ACTION:draft-ietf-sasl-crammd5-to-histori… Simon Josefsson
- Re: I-D ACTION:draft-ietf-sasl-crammd5-to-histori… Paul Smith
- Re: I-D ACTION:draft-ietf-sasl-crammd5-to-histori… Simon Josefsson
- Re: I-D ACTION:draft-ietf-sasl-crammd5-to-histori… John C Klensin