[sasl] [Technical Errata Reported] RFC5802 (2652)
RFC Errata System <rfc-editor@rfc-editor.org> Tue, 30 November 2010 18:57 UTC
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: sasl@core3.amsl.com
Delivered-To: sasl@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 695FF3A6C94 for <sasl@core3.amsl.com>; Tue, 30 Nov 2010 10:57:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.346
X-Spam-Level:
X-Spam-Status: No, score=-102.346 tagged_above=-999 required=5 tests=[AWL=0.254, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q8cs2209Qo9l for <sasl@core3.amsl.com>; Tue, 30 Nov 2010 10:57:00 -0800 (PST)
Received: from rfc-editor.org (rfc-editor.org [IPv6:2001:1890:1112:1::2f]) by core3.amsl.com (Postfix) with ESMTP id A06993A6C27 for <sasl@ietf.org>; Tue, 30 Nov 2010 10:57:00 -0800 (PST)
Received: by rfc-editor.org (Postfix, from userid 30) id E4D21E070A; Tue, 30 Nov 2010 10:58:12 -0800 (PST)
To: chris.newman@oracle.com, ams@toroid.org, Alexey.Melnikov@isode.com, Nicolas.Williams@oracle.com, turners@ieca.com, tim.polk@nist.gov, tlyu@mit.edu, kurt.zeilenga@isode.com
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20101130185812.E4D21E070A@rfc-editor.org>
Date: Tue, 30 Nov 2010 10:58:12 -0800
X-Mailman-Approved-At: Wed, 01 Dec 2010 12:15:02 -0800
Cc: sasl@ietf.org, jehan@zemarmot.net, rfc-editor@rfc-editor.org
Subject: [sasl] [Technical Errata Reported] RFC5802 (2652)
X-BeenThere: sasl@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SASL Working Group <sasl.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sasl>, <mailto:sasl-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sasl>
List-Post: <mailto:sasl@ietf.org>
List-Help: <mailto:sasl-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sasl>, <mailto:sasl-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2010 18:57:01 -0000
The following errata report has been submitted for RFC5802, "Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=5802&eid=2652 -------------------------------------- Type: Technical Reported by: Jehan Pagès <jehan@zemarmot.net> Section: 7 Original Text ------------- base64-char = ALPHA / DIGIT / "/" / "+" base64-4 = 4base64-char base64-3 = 3base64-char "=" base64-2 = 2base64-char "==" base64 = *base64-4 [base64-3 / base64-2] Corrected Text -------------- base64-char = ALPHA / DIGIT / "/" / "+" base64-4 = 4base64-char base64-3 = 3base64-char "=" base64-2 = 2base64-char "==" base64 = *base64-4 (base64-4 / base64-3 / base64-2) Notes ----- The original version would allow the empty string (hence the base64 encoding of an empty string). Though it may technically be an acceptable base64 encoded string, it is not acceptable in our use as we use it for security features which are not supposed to be empty (though it is not defined this way, but common sense tells). This formal definition added to the fact there is no textual counter-indication would imply it is authorized to generate for instance an empty salt, salt being formally defined as: salt = "s=" base64 And textually (section 2.1): "Salt: A random octet string that is combined with a password before applying a one-way encryption function. This value is used to protect passwords that are stored in an authentication database. " Other uses of base64 (proof, verifier and channel-binding) are less problematic as they are encoding of formerly exchanged data (hence if empty, it would fail the exchange). But salt being generated by client and server, the current definition would authorize an obviously faulty random salt-generation behaviour. Instructions: ------------- This errata is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party (IESG) can log in to change the status and edit the report, if necessary. -------------------------------------- RFC5802 (draft-ietf-sasl-scram-11) -------------------------------------- Title : Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms Publication Date : July 2010 Author(s) : C. Newman, A. Menon-Sen, A. Melnikov, N. Williams Category : PROPOSED STANDARD Source : Simple Authentication and Security Layer Area : Security Stream : IETF Verifying Party : IESG
- [sasl] [Technical Errata Reported] RFC5802 (2652) RFC Errata System