Re: WG Last Call: draft-ietf-sasl-scram-02
Alexey Melnikov <alexey.melnikov@isode.com> Thu, 30 July 2009 11:43 UTC
Return-Path: <owner-ietf-sasl@mail.imc.org>
X-Original-To: ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com
Delivered-To: ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B2E6D28C15B for <ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com>; Thu, 30 Jul 2009 04:43:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.277
X-Spam-Level:
X-Spam-Status: No, score=-2.277 tagged_above=-999 required=5 tests=[AWL=-0.278, BAYES_00=-2.599, J_CHICKENPOX_35=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bGpfehYjigam for <ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com>; Thu, 30 Jul 2009 04:43:08 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 58F3628C165 for <sasl-archive-Zoh8yoh9@ietf.org>; Thu, 30 Jul 2009 04:43:08 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n6UB7Ve5052631 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 30 Jul 2009 04:07:32 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n6UB7VL1052630; Thu, 30 Jul 2009 04:07:31 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n6UB7P5Z052619 for <ietf-sasl@imc.org>; Thu, 30 Jul 2009 04:07:26 -0700 (MST) (envelope-from alexey.melnikov@isode.com)
Received: from [130.129.20.248] (dhcp-14f8.meeting.ietf.org [130.129.20.248]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SnF-4AB9YWpG@rufus.isode.com>; Thu, 30 Jul 2009 12:07:15 +0100
Message-ID: <4A716407.6000000@isode.com>
Date: Thu, 30 Jul 2009 11:12:39 +0200
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Peter Saint-Andre <stpeter@stpeter.im>
CC: Tom Yu <tlyu@MIT.EDU>, ietf-sasl@imc.org
Subject: Re: WG Last Call: draft-ietf-sasl-scram-02
References: <ldvbpnouhy3.fsf@cathode-dark-space.mit.edu> <4A703964.3090203@stpeter.im>
In-Reply-To: <4A703964.3090203@stpeter.im>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-sasl@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-ID: <ietf-sasl.imc.org>
List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Peter Saint-Andre wrote: >Some nits... > > Some of there are more than just nits :-). Thank you for the review! I've responded/addressed most of your comments in my copy, I will reply to the rest in a separate message. >SECTION 2 > >Typo: "family of mechanism" => "family of mechanisms" > Fixed. >The second paragraph references security layers, which are not >previously defined > Added the reference to RFC 4422. >(and no reference is made to RFC 5056 here). > > It is referenced in my copy. >Under protocol features, the document says that "A standard attribute is >defined to enable storage of the authentication information in LDAPv3" >but I don't see where this attribute is defined in the spec. > > This needs an informative reference to another draft I am editing. I will add. >SECTION 3 > >The specification assumes that "the client is in possession of a >username and password"; does it make sense to mention the fact that >passwordless login can occur in this world (Kerb, X.509, etc.)? > > I don't think this would help readability. I've changed "the client" to "the SCRAM client" in my copy. Is it any better? >SECTION 4 > >Typo: "hashed function" => "hash function" > > [...] >SECTION 5 > >There is an example of "tls-server-end-point" but no reference for this >channel binding type. > > I will add an informative reference. >SECTION 5.1 > >For the definition of "n", the text says that "a client must include it >in its first message to the server"; do we mean MUST here? > Sure. >The "n" attribute specifies a username. Is it up to the using protocol >define exactly what a username is? I am thinking of hosting providers >that might host multiple domains for a given service, such that the the >username is not a "local-part" but could include a domain name (XMPP is >but one example; others might include IMAP). > > My copy already says: This attribute specifies the name of the user whose password is used for authentication (a.k.a. "authentication identity" <xref target='RFC4422'/>). And according to RFC 4422, each mechanism defines how authentication identity looks like. For SCRAM it is a "simple username" (i.e. <localpart>[@<domain>]), for Kerberos it is a Kerberos principal, etc. >For the "n" attribute, "the server SHOULD prepare it using the >"SASLPrep" profile". Under what circumstances is it appropriate for the >server to not prepare the value according to SASLPrep? > This is a cut&paste from the DIGEST-MD5 update I was working on. If I remember correctly there was some objection to making this a MUST. To this day many implementors don't implement SASLPrep, so I think this is a reasonable compromise. >Typo: "It is important that this be value" => "It is important that this >value be" > >Typo: missing close paren after the reference to RFC 5056 > > Both fixed. >For the "i" attribute, the text says that it "must be sent by the server >along with the user's salt"; do we mean MUST here? > > Yes. >SECTION 6 > >Typo: "MUST chose" => "MUST choose" > >SECTION 8.2 > >Typo: "SHALL BE" => "SHALL be" > > Both fixed. >APPENDIX A > >CRAM-MD5 is mentioned as another authentication mechanism, seemingly >with the meaning that SCRAM is intended to obsolete CRAM-MD5. I recall >an objection by John Klensin at the mic in San Francisco that in fact >SCRAM is intended to obsolete DIGEST-MD5 but not CRAM-MD5. But perhaps >that is a matter for draft-ietf-sasl-crammd5-to-historic, not this >specification. > > Agree with the last sentence.
- WG Last Call: draft-ietf-sasl-scram-02 Tom Yu
- Re: WG Last Call: draft-ietf-sasl-scram-02 Chris Newman
- Re: WG Last Call: draft-ietf-sasl-scram-02 Jeffrey Hutzelman
- Re: WG Last Call: draft-ietf-sasl-scram-02 Simon Josefsson
- Re: WG Last Call: draft-ietf-sasl-scram-02 Simon Josefsson
- Re: WG Last Call: draft-ietf-sasl-scram-02 Simon Josefsson
- Re: WG Last Call: draft-ietf-sasl-scram-02 Simon Josefsson
- Re: WG Last Call: draft-ietf-sasl-scram-02 Simon Josefsson
- Re: WG Last Call: draft-ietf-sasl-scram-02 Simon Josefsson
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02 Simon Josefsson
- Re: WG Last Call: draft-ietf-sasl-scram-02 Peter Saint-Andre
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02 Chris Newman
- Re: WG Last Call: draft-ietf-sasl-scram-02 Simon Josefsson
- Re: WG Last Call: draft-ietf-sasl-scram-02 Jeffrey Hutzelman
- Re: WG Last Call: draft-ietf-sasl-scram-02 Simon Josefsson
- Re: WG Last Call: draft-ietf-sasl-scram-02 Nicolas Williams
- Re: WG Last Call: draft-ietf-sasl-scram-02 Nicolas Williams
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02 Nicolas Williams
- Re: WG Last Call: draft-ietf-sasl-scram-02 Nicolas Williams
- Re: WG Last Call: draft-ietf-sasl-scram-02 Simon Josefsson
- Re: WG Last Call: draft-ietf-sasl-scram-02 Nicolas Williams
- Re: WG Last Call: draft-ietf-sasl-scram-02 Simon Josefsson
- Re: WG Last Call: draft-ietf-sasl-scram-02 Peter Saint-Andre
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02 Peter Saint-Andre
- Re: WG Last Call: draft-ietf-sasl-scram-02 Simon Josefsson
- Re: WG Last Call: draft-ietf-sasl-scram-02 Nicolas Williams
- Re: WG Last Call: draft-ietf-sasl-scram-02 Peter Saint-Andre
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02 Peter Saint-Andre
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02 Kurt Zeilenga
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02 Simon Josefsson
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-scram-02 Peter Saint-Andre
- Re: WG Last Call: draft-ietf-sasl-scram-02 Simon Josefsson
- Re: WG Last Call: draft-ietf-sasl-scram-02 Peter Saint-Andre
- Re: WG Last Call: draft-ietf-sasl-scram-02 Dave Cridland
- Re: WG Last Call: draft-ietf-sasl-scram-02 Alexey Melnikov