Re: SCRAM and YAP
Nicolas Williams <Nicolas.Williams@sun.com> Thu, 31 January 2008 15:50 UTC
Return-path: <owner-ietf-sasl@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JKbgh-0007nx-5W for sasl-archive-Zoh8yoh9@lists.ietf.org; Thu, 31 Jan 2008 10:50:51 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JKbgg-0000bN-Pa for sasl-archive-Zoh8yoh9@lists.ietf.org; Thu, 31 Jan 2008 10:50:51 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0VFc4hL012412 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 31 Jan 2008 08:38:04 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0VFc4Kx012411; Thu, 31 Jan 2008 08:38:04 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f
Received: from brmea-mail-1.sun.com (brmea-mail-1.Sun.COM [192.18.98.31]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0VFc3Q6012403 for <ietf-sasl@imc.org>; Thu, 31 Jan 2008 08:38:04 -0700 (MST) (envelope-from Nicolas.Williams@sun.com)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by brmea-mail-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m0VFc3PB007475 for <ietf-sasl@imc.org>; Thu, 31 Jan 2008 15:38:03 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id m0VFc3tl058795 for <ietf-sasl@imc.org>; Thu, 31 Jan 2008 08:38:03 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m0VFc31I017358; Thu, 31 Jan 2008 09:38:03 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m0VFc3Tu017357; Thu, 31 Jan 2008 09:38:03 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Thu, 31 Jan 2008 09:38:03 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Philip Guenther <guenther+sasl@sendmail.com>
Cc: ietf-sasl@imc.org
Subject: Re: SCRAM and YAP
Message-ID: <20080131153802.GQ15877@Sun.COM>
Mail-Followup-To: Philip Guenther <guenther+sasl@sendmail.com>, ietf-sasl@imc.org
References: <20080130211445.GZ15877@Sun.COM> <Pine.BSO.4.64.0801302247000.12142@vanye.mho.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <Pine.BSO.4.64.0801302247000.12142@vanye.mho.net>
User-Agent: Mutt/1.5.7i
Sender: owner-ietf-sasl@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-ID: <ietf-sasl.imc.org>
List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d17f825e43c9aed4fd65b7edddddec89
On Wed, Jan 30, 2008 at 11:08:28PM -0700, Philip Guenther wrote: > Without channel binding _or_ security layers, the athenticated channel > isn't protected from takeover and arbitrary replacement, right? The only > trustable fact would be the authentication itself, if that. Seems like a > pointless niche to me. It's good enough for some valid threat models. I think we'll end up having it. But yeah, _I_ would always want to use channel binding to TLS or SASL security layers, not neither. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0VFc4hL012412 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 31 Jan 2008 08:38:04 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0VFc4Kx012411; Thu, 31 Jan 2008 08:38:04 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from brmea-mail-1.sun.com (brmea-mail-1.Sun.COM [192.18.98.31]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0VFc3Q6012403 for <ietf-sasl@imc.org>; Thu, 31 Jan 2008 08:38:04 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-02.central.sun.com ([129.147.62.5]) by brmea-mail-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m0VFc3PB007475 for <ietf-sasl@imc.org>; Thu, 31 Jan 2008 15:38:03 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id m0VFc3tl058795 for <ietf-sasl@imc.org>; Thu, 31 Jan 2008 08:38:03 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m0VFc31I017358; Thu, 31 Jan 2008 09:38:03 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m0VFc3Tu017357; Thu, 31 Jan 2008 09:38:03 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Thu, 31 Jan 2008 09:38:03 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Philip Guenther <guenther+sasl@sendmail.com> Cc: ietf-sasl@imc.org Subject: Re: SCRAM and YAP Message-ID: <20080131153802.GQ15877@Sun.COM> Mail-Followup-To: Philip Guenther <guenther+sasl@sendmail.com>, ietf-sasl@imc.org References: <20080130211445.GZ15877@Sun.COM> <Pine.BSO.4.64.0801302247000.12142@vanye.mho.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <Pine.BSO.4.64.0801302247000.12142@vanye.mho.net> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Wed, Jan 30, 2008 at 11:08:28PM -0700, Philip Guenther wrote: > Without channel binding _or_ security layers, the athenticated channel > isn't protected from takeover and arbitrary replacement, right? The only > trustable fact would be the authentication itself, if that. Seems like a > pointless niche to me. It's good enough for some valid threat models. I think we'll end up having it. But yeah, _I_ would always want to use channel binding to TLS or SASL security layers, not neither. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0VFYALZ012148 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 31 Jan 2008 08:34:10 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0VFYAKh012147; Thu, 31 Jan 2008 08:34:10 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from sca-ea-mail-3.sun.com (sca-ea-mail-3.Sun.COM [192.18.43.21]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0VFY9SN012140 for <ietf-sasl@imc.org>; Thu, 31 Jan 2008 08:34:10 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m0VFY9Nw011737 for <ietf-sasl@imc.org>; Thu, 31 Jan 2008 15:34:09 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id m0VFY80t056694 for <ietf-sasl@imc.org>; Thu, 31 Jan 2008 08:34:09 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m0VFY5EA017347; Thu, 31 Jan 2008 09:34:05 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m0VFY5sm017346; Thu, 31 Jan 2008 09:34:05 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Thu, 31 Jan 2008 09:34:05 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Philip Guenther <guenther+sasl@sendmail.com> Cc: ietf-sasl@imc.org Subject: Re: SCRAM and YAP Message-ID: <20080131153404.GP15877@Sun.COM> Mail-Followup-To: Philip Guenther <guenther+sasl@sendmail.com>, ietf-sasl@imc.org References: <20080130211445.GZ15877@Sun.COM> <Pine.BSO.4.64.0801302247000.12142@vanye.mho.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <Pine.BSO.4.64.0801302247000.12142@vanye.mho.net> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Wed, Jan 30, 2008 at 11:08:28PM -0700, Philip Guenther wrote: > On Wed, 30 Jan 2008, Nicolas Williams wrote: > ... > >Jeff H. off-line worries that "unique channel binding" need not be good > >enough to replace the challenge. I believe that it always would be, or > >would have to be if the "unique channel binding" be good enough to > >detect MITMs. I don't have proof at this time. > > To me, the definition of unique channel bindings in RFC 5056 implies it: > + unique channel bindings: To me it does as well. Strongly implies, even. I've not thought long enough to decide that there's proof. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0V9e88c081094 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 31 Jan 2008 02:40:08 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0V9e8tA081092; Thu, 31 Jan 2008 02:40:08 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from kalyani.oryx.com (kalyani.oryx.com [195.30.37.30]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0V9e3an081084 for <ietf-sasl@imc.org>; Thu, 31 Jan 2008 02:40:04 -0700 (MST) (envelope-from arnt@oryx.com) Received: from kalyani.oryx.com (localhost.oryx.com [127.0.0.1]) by kalyani.oryx.com (Postfix) with ESMTP id B96344AC48; Thu, 31 Jan 2008 10:40:02 +0100 (CET) Received: from 195.30.37.9 (HELO libertango.oryx.com) by kalyani.oryx.com with esmtp id 1201772401-2291-510; Thu, 31 Jan 2008 10:40:01 +0100 Message-Id: <1k1JU/ImqkvlzBz1ZHEvmg.md5@libertango.oryx.com> Date: Thu, 31 Jan 2008 10:40:00 +0100 From: Arnt Gulbrandsen <arnt@oryx.com> To: ietf-sasl@imc.org Subject: Re: SCRAM with(out) GS2 (was Re: Holding gs2) Cc: Alexey Melnikov <alexey.melnikov@isode.com>, Chris Newman <Chris.Newman@Sun.COM>, Nicolas Williams <Nicolas.Williams@Sun.COM>, Sam Hartman <hartmans-ietf@mit.edu>, Simon Josefsson <simon@josefsson.org> References: <tslzlv55mon.fsf@mit.edu> <87bq7hx536.fsf@mocca.josefsson.org> <tslk5m2ep8f.fsf@mit.edu> <87myqxnc8b.fsf@mocca.josefsson.org> <479CCD23.4050600@isode.com> <20080128155952.GZ12865@Sun.COM> <A700A598DE5875E9C792C999@nifty-silver.local> <b6X5oHIyQbgfVbXrtzmq7A.md5@libertango.oryx.com> <20080130162209.GO15877@Sun.COM> In-Reply-To: <20080130162209.GO15877@Sun.COM> Content-Type: text/plain; format=flowed Mime-Version: 1.0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Nicolas Williams writes: > We can deal with this, and we've already agreed to, by providing two > descriptions of the mechanism, one without reference to the GSS-API > nor GS2, and one with. That's the plan. Whether the plan is good is another question. > The simplified GS2 option we've been discussing would make that task > much, much easier, and would make the design of SCRAM much simpler > also. Simpler from the vantage point of most WG members. Not simpler to learn and to implement for the people I really care about: Those who have Cram-MD5 or Digest-MD5 today, and who I want to implement SCRAM. Arnt Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0V68YXb067290 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 30 Jan 2008 23:08:34 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0V68Ypj067289; Wed, 30 Jan 2008 23:08:34 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from ladle.sendmail.com (ladle.sendmail.com [209.246.26.53]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0V68Xmj067283 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 23:08:34 -0700 (MST) (envelope-from guenther+sasl@sendmail.com) Received: from fife.sendmail.com (fife.sendmail.com [209.246.26.50]) by ladle.sendmail.com (Switch-3.3.1/Sentrion-3.0.0) with ESMTP id m0V68lXg011276 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 30 Jan 2008 22:08:47 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=sendmail.com; s=ladle.dkim; t=1201759727; bh=Wl4XYymr/25jATI82EhZSY7VSS48ub2MEFNX O/w/XhI=; h=Received:X-DKIM:DKIM-Signature:Date:From:X-X-Sender:To: cc:Subject:In-Reply-To:Message-ID:References:MIME-Version: Content-Type:X-MM-Ex-RefId; b=gYC/V/83Kl3h3bDhq8vP7yaCOX7JUDW7XEdg MIhF/kDyK1+85K1g1/SX3Ocn54cYPmThTujlK5zQ0X4jD1LSw5mAOckSCKDlxD2QVfe 0LcbvLNu2EOWQtDrA4NQBs2RC0Pf8OZtAJMvN2nu5ljBMd7BPtD5kzLgOfcmGFCxZIA 0= Received: from [192.168.0.2] (adsl-64-58-1-252.mho.net [64.58.1.252] (may be forged)) (authenticated bits=0) by fife.sendmail.com (Switch-3.3.1/Switch-3.3.1) with ESMTP id m0V69Khq001089 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 30 Jan 2008 22:09:22 -0800 X-DKIM: Sendmail DKIM Filter v2.2.2 fife.sendmail.com m0V69Khq001089 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=fife.dkim; t=1201759764; bh=Wl4XYymr/25jATI82EhZSY7VSS48ub2MEFNXO /w/XhI=; h=Date:From:X-X-Sender:To:cc:Subject:In-Reply-To: Message-ID:References:MIME-Version:Content-Type:X-MM-Ex-RefId; b=S iWBt7c2Ut6K6WKsbqHn3trEpQbmi46zeVFLjjvs8qSLXn4XnboD726JCkjIi+zFkjvq mtadtwoI1qU50f7C8or8RJdhxMtjjkUzI3k7gHYYGKcGATHdRnLR902Tbx+SlEBGW3J pLkqSYHC/bYk/TOJccjy2ajUh558deSesO/4= Date: Wed, 30 Jan 2008 23:08:28 -0700 From: Philip Guenther <guenther+sasl@sendmail.com> X-X-Sender: guenther@vanye.mho.net To: Nicolas Williams <Nicolas.Williams@sun.com> cc: ietf-sasl@imc.org Subject: Re: SCRAM and YAP In-Reply-To: <20080130211445.GZ15877@Sun.COM> Message-ID: <Pine.BSO.4.64.0801302247000.12142@vanye.mho.net> References: <20080130211445.GZ15877@Sun.COM> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-MM-Ex-RefId: 149371::080130220923-10933B90-77CB6FDD/0-0/0-1 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Wed, 30 Jan 2008, Nicolas Williams wrote: ... > Jeff H. off-line worries that "unique channel binding" need not be good > enough to replace the challenge. I believe that it always would be, or > would have to be if the "unique channel binding" be good enough to > detect MITMs. I don't have proof at this time. To me, the definition of unique channel bindings in RFC 5056 implies it: + unique channel bindings: channel bindings that name a channel in a cryptographically secure manner and uniquely in time; If either endpoint (or a MITM!) could force a particular channel binding value, then that channel binding construction wouldn't "name a channel <...> uniquely in time". A construction that didn't have large enough nonces from each endpoint wouldn't be cryptographically secure. So, if its a unique channel binding, then endpoints can neither force a value nor reduce the entropy to an insecure level. Or am I misinterpreting what "cryptographically secure" means there? > Saving a round-trip the likely-to-be-common case strikes me as good. > (Not using TLS and channel binding while also not having security layers > strikes me as not terribly useful, security-wise, though still something > that should be supported.) Without channel binding _or_ security layers, the athenticated channel isn't protected from takeover and arbitrary replacement, right? The only trustable fact would be the authentication itself, if that. Seems like a pointless niche to me. Philip Guenther Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0ULaIO1032965 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 30 Jan 2008 14:36:18 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0ULaIdl032964; Wed, 30 Jan 2008 14:36:18 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from sca-ea-mail-2.sun.com (sca-ea-mail-2.Sun.COM [192.18.43.25]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0ULaHnY032949 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 14:36:18 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id m0ULaHGn014581 for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 21:36:17 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id m0ULaG8u009298 for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 14:36:16 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m0ULaGFT016960; Wed, 30 Jan 2008 15:36:16 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m0ULaFs8016959; Wed, 30 Jan 2008 15:36:15 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Wed, 30 Jan 2008 15:36:15 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Jeffrey Hutzelman <jhutz@cmu.edu> Cc: Arnt Gulbrandsen <arnt@oryx.com>, ietf-sasl@imc.org, Alexey Melnikov <alexey.melnikov@isode.com>, Chris Newman <Chris.Newman@sun.com>, Sam Hartman <hartmans-ietf@mit.edu>, Simon Josefsson <simon@josefsson.org> Subject: Re: SCRAM with(out) GS2 (was Re: Holding gs2) Message-ID: <20080130213615.GC15877@Sun.COM> Mail-Followup-To: Jeffrey Hutzelman <jhutz@cmu.edu>, Arnt Gulbrandsen <arnt@oryx.com>, ietf-sasl@imc.org, Alexey Melnikov <alexey.melnikov@isode.com>, Chris Newman <Chris.Newman@Sun.COM>, Sam Hartman <hartmans-ietf@mit.edu>, Simon Josefsson <simon@josefsson.org> References: <87bq7hx536.fsf@mocca.josefsson.org> <tslk5m2ep8f.fsf@mit.edu> <87myqxnc8b.fsf@mocca.josefsson.org> <479CCD23.4050600@isode.com> <20080128155952.GZ12865@Sun.COM> <A700A598DE5875E9C792C999@nifty-silver.local> <b6X5oHIyQbgfVbXrtzmq7A.md5@libertango.oryx.com> <20080130162209.GO15877@Sun.COM> <20080130205553.GY15877@Sun.COM> <8BC6271CC9E3B3E539017997@sirius.fac.cs.cmu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8BC6271CC9E3B3E539017997@sirius.fac.cs.cmu.edu> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Wed, Jan 30, 2008 at 04:28:19PM -0500, Jeffrey Hutzelman wrote: > --On Wednesday, January 30, 2008 02:55:53 PM -0600 Nicolas Williams > <Nicolas.Williams@sun.com> wrote: > >Frankly, the more I think about it the more I just want to get rid of > >the security layers. Simon? Others? > > I'm actually beginning to believe that security layers were never the right > answer in the first place -- all we ever really needed was channel bindings. I've known that for a while :) The problem is we don't get to go back in time, and it may take time to get folks to deploy TLS libraries that make CBs available. Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0ULSQse032377 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 30 Jan 2008 14:28:26 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0ULSQIV032376; Wed, 30 Jan 2008 14:28:26 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from jackfruit.srv.cs.cmu.edu (JACKFRUIT.SRV.CS.CMU.EDU [128.2.201.16]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0ULSNWm032368 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 14:28:25 -0700 (MST) (envelope-from jhutz@cmu.edu) Received: from SIRIUS.FAC.CS.CMU.EDU (SIRIUS.FAC.CS.CMU.EDU [128.2.209.170]) (authenticated bits=0) by jackfruit.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id m0ULSJCA007126 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 30 Jan 2008 16:28:19 -0500 (EST) Date: Wed, 30 Jan 2008 16:28:19 -0500 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: Nicolas Williams <Nicolas.Williams@sun.com>, Arnt Gulbrandsen <arnt@oryx.com>, ietf-sasl@imc.org, Alexey Melnikov <alexey.melnikov@isode.com>, Chris Newman <Chris.Newman@sun.com>, Sam Hartman <hartmans-ietf@mit.edu>, Simon Josefsson <simon@josefsson.org> cc: jhutz@cmu.edu Subject: Re: SCRAM with(out) GS2 (was Re: Holding gs2) Message-ID: <8BC6271CC9E3B3E539017997@sirius.fac.cs.cmu.edu> In-Reply-To: <20080130205553.GY15877@Sun.COM> References: <tslzlv55mon.fsf@mit.edu> <87bq7hx536.fsf@mocca.josefsson.org> <tslk5m2ep8f.fsf@mit.edu> <87myqxnc8b.fsf@mocca.josefsson.org> <479CCD23.4050600@isode.com> <20080128155952.GZ12865@Sun.COM> <A700A598DE5875E9C792C999@nifty-silver.local> <b6X5oHIyQbgfVbXrtzmq7A.md5@libertango.oryx.com> <20080130162209.GO15877@Sun.COM> <20080130205553.GY15877@Sun.COM> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> --On Wednesday, January 30, 2008 02:55:53 PM -0600 Nicolas Williams <Nicolas.Williams@sun.com> wrote: > > On Wed, Jan 30, 2008 at 10:22:09AM -0600, Nicolas Williams wrote: >> Thus I am strongly in favor of at least adding the channel-binding-only >> option to GS2. I am also leaning towards being in favor of removing >> support for security layers and security layer negotiation from GS2 as >> well -- that would another significant simplification. On the latter >> point I'd like to hear from Simon and others whether they are OK with >> GS2 (GS3, whatever) mechanisms not providing any security layers. > > Frankly, the more I think about it the more I just want to get rid of > the security layers. Simon? Others? I'm actually beginning to believe that security layers were never the right answer in the first place -- all we ever really needed was channel bindings. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0ULElxp030978 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 30 Jan 2008 14:14:47 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0ULElb7030977; Wed, 30 Jan 2008 14:14:47 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from brmea-mail-3.sun.com (brmea-mail-3.Sun.COM [192.18.98.34]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0ULElYR030970 for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 14:14:47 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-02.central.sun.com ([129.147.62.5]) by brmea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m0ULEkhT005568 for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 21:14:46 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id m0ULEkjv060292 for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 14:14:46 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m0ULEkRO016925 for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 15:14:46 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m0ULEkCx016924 for ietf-sasl@imc.org; Wed, 30 Jan 2008 15:14:46 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Wed, 30 Jan 2008 15:14:46 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: ietf-sasl@imc.org Subject: SCRAM and YAP Message-ID: <20080130211445.GZ15877@Sun.COM> Mail-Followup-To: ietf-sasl@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> While we're at it, if we'll not have sec layers and we'll expect the use of TLS and channel bindings, then we might as well add a fast mode to SCRAM where IF the channel bindings provided are of the "unique" type, where the channel binding is used as the challenge (this what Kurt's YAP is premised on). Jeff H. off-line worries that "unique channel binding" need not be good enough to replace the challenge. I believe that it always would be, or would have to be if the "unique channel binding" be good enough to detect MITMs. I don't have proof at this time. Saving a round-trip the likely-to-be-common case strikes me as good. (Not using TLS and channel binding while also not having security layers strikes me as not terribly useful, security-wise, though still something that should be supported.) Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0UKu2R5029359 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 30 Jan 2008 13:56:02 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0UKu2AU029358; Wed, 30 Jan 2008 13:56:02 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0UKtxoi029347 for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 13:55:59 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m0UKtwJ0028709 for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 20:55:58 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id m0UKtwKB046918 for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 13:55:58 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m0UKtsVw016912; Wed, 30 Jan 2008 14:55:54 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m0UKtrKb016911; Wed, 30 Jan 2008 14:55:53 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Wed, 30 Jan 2008 14:55:53 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Arnt Gulbrandsen <arnt@oryx.com>, ietf-sasl@imc.org, Alexey Melnikov <alexey.melnikov@isode.com>, Chris Newman <Chris.Newman@sun.com>, Sam Hartman <hartmans-ietf@mit.edu>, Simon Josefsson <simon@josefsson.org> Subject: Re: SCRAM with(out) GS2 (was Re: Holding gs2) Message-ID: <20080130205553.GY15877@Sun.COM> Mail-Followup-To: Arnt Gulbrandsen <arnt@oryx.com>, ietf-sasl@imc.org, Alexey Melnikov <alexey.melnikov@isode.com>, Chris Newman <Chris.Newman@Sun.COM>, Sam Hartman <hartmans-ietf@mit.edu>, Simon Josefsson <simon@josefsson.org> References: <tslzlv55mon.fsf@mit.edu> <87bq7hx536.fsf@mocca.josefsson.org> <tslk5m2ep8f.fsf@mit.edu> <87myqxnc8b.fsf@mocca.josefsson.org> <479CCD23.4050600@isode.com> <20080128155952.GZ12865@Sun.COM> <A700A598DE5875E9C792C999@nifty-silver.local> <b6X5oHIyQbgfVbXrtzmq7A.md5@libertango.oryx.com> <20080130162209.GO15877@Sun.COM> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080130162209.GO15877@Sun.COM> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Wed, Jan 30, 2008 at 10:22:09AM -0600, Nicolas Williams wrote: > Thus I am strongly in favor of at least adding the channel-binding-only > option to GS2. I am also leaning towards being in favor of removing > support for security layers and security layer negotiation from GS2 as > well -- that would another significant simplification. On the latter > point I'd like to hear from Simon and others whether they are OK with > GS2 (GS3, whatever) mechanisms not providing any security layers. Frankly, the more I think about it the more I just want to get rid of the security layers. Simon? Others? Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0UGMHxB003802 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 30 Jan 2008 09:22:17 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0UGMHZn003801; Wed, 30 Jan 2008 09:22:17 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from brmea-mail-1.sun.com (brmea-mail-1.Sun.COM [192.18.98.31]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0UGMB7c003789 for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 09:22:11 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-01.central.sun.com ([129.147.62.4]) by brmea-mail-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m0UGMA65010831 for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 16:22:10 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id m0UGMAjU009607 for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 09:22:10 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m0UGMA6g016638; Wed, 30 Jan 2008 10:22:10 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m0UGM94C016637; Wed, 30 Jan 2008 10:22:09 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Wed, 30 Jan 2008 10:22:09 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Arnt Gulbrandsen <arnt@oryx.com> Cc: ietf-sasl@imc.org, Alexey Melnikov <alexey.melnikov@isode.com>, Chris Newman <Chris.Newman@sun.com>, Sam Hartman <hartmans-ietf@mit.edu>, Simon Josefsson <simon@josefsson.org> Subject: Re: SCRAM with(out) GS2 (was Re: Holding gs2) Message-ID: <20080130162209.GO15877@Sun.COM> Mail-Followup-To: Arnt Gulbrandsen <arnt@oryx.com>, ietf-sasl@imc.org, Alexey Melnikov <alexey.melnikov@isode.com>, Chris Newman <Chris.Newman@Sun.COM>, Sam Hartman <hartmans-ietf@mit.edu>, Simon Josefsson <simon@josefsson.org> References: <tslzlv55mon.fsf@mit.edu> <87bq7hx536.fsf@mocca.josefsson.org> <tslk5m2ep8f.fsf@mit.edu> <87myqxnc8b.fsf@mocca.josefsson.org> <479CCD23.4050600@isode.com> <20080128155952.GZ12865@Sun.COM> <A700A598DE5875E9C792C999@nifty-silver.local> <b6X5oHIyQbgfVbXrtzmq7A.md5@libertango.oryx.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <b6X5oHIyQbgfVbXrtzmq7A.md5@libertango.oryx.com> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Wed, Jan 30, 2008 at 12:21:08PM +0100, Arnt Gulbrandsen wrote: > Chris Newman writes: > >I would personally have no problem implementing an all-binary SCRAM > >regardless of how ugly the ASN.1 and binary encoding happens to be > >(it just requires more lines of parsing code since I have to include > >all the binary->text logic for debugging). > > My two cents: I want SCRAM as a replacement for Digest-MD5 and to some > degree Cram-MD5. That may not be a good reason, but it's mine, and I > worry that GS2 hurts rather than helps. > > As I see it, the people I want to implement SCRAM have Cram-MD5 and/or > (bad) Digest-MD5 implementations, and most of them don't have > GSS-API/GS2 implementations. For these people, basing SCRAM on GS2 > means that they must read and understand more RFC text and their > implementations will be more complex. Chris has no problem with that, > but I fear that many people do. More text to read and understand means > a greater reluctance to implement, and in turn a slower pace of > adoption. More complexity means worse interoperation. We can deal with this, and we've already agreed to, by providing two descriptions of the mechanism, one without reference to the GSS-API nor GS2, and one with. The simplified GS2 option we've been discussing would make that task much, much easier, and would make the design of SCRAM much simpler also. Thus I am strongly in favor of at least adding the channel-binding-only option to GS2. I am also leaning towards being in favor of removing support for security layers and security layer negotiation from GS2 as well -- that would another significant simplification. On the latter point I'd like to hear from Simon and others whether they are OK with GS2 (GS3, whatever) mechanisms not providing any security layers. Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0UBTgjF080757 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 30 Jan 2008 04:29:42 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0UBTgnH080756; Wed, 30 Jan 2008 04:29:42 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from kalyani.oryx.com (kalyani.oryx.com [195.30.37.30]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0UBTcO4080748 for <ietf-sasl@imc.org>; Wed, 30 Jan 2008 04:29:39 -0700 (MST) (envelope-from arnt@oryx.com) Received: from kalyani.oryx.com (localhost.oryx.com [127.0.0.1]) by kalyani.oryx.com (Postfix) with ESMTP id 491804AC23; Wed, 30 Jan 2008 12:29:35 +0100 (CET) Received: from 195.30.37.9 (HELO libertango.oryx.com) by kalyani.oryx.com with esmtp id 1201692574-2291-4; Wed, 30 Jan 2008 12:29:34 +0100 Message-Id: <b6X5oHIyQbgfVbXrtzmq7A.md5@libertango.oryx.com> Date: Wed, 30 Jan 2008 12:21:08 +0100 From: Arnt Gulbrandsen <arnt@oryx.com> To: ietf-sasl@imc.org Subject: SCRAM with(out) GS2 (was Re: Holding gs2) Cc: Alexey Melnikov <alexey.melnikov@isode.com>, Chris Newman <Chris.Newman@Sun.COM>, Nicolas Williams <Nicolas.Williams@Sun.COM>, Sam Hartman <hartmans-ietf@mit.edu>, Simon Josefsson <simon@josefsson.org> References: <tslzlv55mon.fsf@mit.edu> <87bq7hx536.fsf@mocca.josefsson.org> <tslk5m2ep8f.fsf@mit.edu> <87myqxnc8b.fsf@mocca.josefsson.org> <479CCD23.4050600@isode.com> <20080128155952.GZ12865@Sun.COM> <A700A598DE5875E9C792C999@nifty-silver.local> In-Reply-To: <A700A598DE5875E9C792C999@nifty-silver.local> Content-Type: text/plain; format=flowed Mime-Version: 1.0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Chris Newman writes: > I would personally have no problem implementing an all-binary SCRAM > regardless of how ugly the ASN.1 and binary encoding happens to be > (it just requires more lines of parsing code since I have to include > all the binary->text logic for debugging). My two cents: I want SCRAM as a replacement for Digest-MD5 and to some degree Cram-MD5. That may not be a good reason, but it's mine, and I worry that GS2 hurts rather than helps. As I see it, the people I want to implement SCRAM have Cram-MD5 and/or (bad) Digest-MD5 implementations, and most of them don't have GSS-API/GS2 implementations. For these people, basing SCRAM on GS2 means that they must read and understand more RFC text and their implementations will be more complex. Chris has no problem with that, but I fear that many people do. More text to read and understand means a greater reluctance to implement, and in turn a slower pace of adoption. More complexity means worse interoperation. Arnt Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0TLQCRs026784 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Jan 2008 14:26:12 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0TLQCLk026783; Tue, 29 Jan 2008 14:26:12 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0TLQ73f026772 for <ietf-sasl@imc.org>; Tue, 29 Jan 2008 14:26:08 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m0TLQ7sI023482 for <ietf-sasl@imc.org>; Tue, 29 Jan 2008 21:26:07 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id m0TLQ6Jk045045 for <ietf-sasl@imc.org>; Tue, 29 Jan 2008 14:26:06 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m0TLQ6NC015597; Tue, 29 Jan 2008 15:26:06 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m0TLQ5L5015596; Tue, 29 Jan 2008 15:26:05 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Tue, 29 Jan 2008 15:26:05 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Chris Newman <Chris.Newman@sun.com> Cc: Alexey Melnikov <alexey.melnikov@isode.com>, Simon Josefsson <simon@josefsson.org>, Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org Subject: Re: Holding gs2 Message-ID: <20080129212605.GD12865@Sun.COM> Mail-Followup-To: Chris Newman <Chris.Newman@Sun.COM>, Alexey Melnikov <alexey.melnikov@isode.com>, Simon Josefsson <simon@josefsson.org>, Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org References: <tslzlv55mon.fsf@mit.edu> <87bq7hx536.fsf@mocca.josefsson.org> <tslk5m2ep8f.fsf@mit.edu> <87myqxnc8b.fsf@mocca.josefsson.org> <479CCD23.4050600@isode.com> <20080128155952.GZ12865@Sun.COM> <A700A598DE5875E9C792C999@nifty-silver.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <A700A598DE5875E9C792C999@nifty-silver.local> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Tue, Jan 29, 2008 at 12:16:36PM -0700, Chris Newman wrote: > Speaking as a technical participant only... > > As a SASL implementer, it is my current intention to not implement the > "security layer" feature of SASL. If I implement GS2, my implementation > will always negotiate the GS2 security layer off and will use SSL/TLS > channel bindings if there's any reasonable way I can get that working with > the Mozilla/NSS library. Most SASL apps have StartTLS or TLS port options. I'm inclined to believe that most SASL implementors would prefer to just do channel binding to TLS when you want security layers. So I'm now inclined to believe that Sam is right: we may have gone overboard with GS2. The only question left for me then is this: does anyone actually want SASL security layers with any new mechanisms, or with the replacement for "GSSAPI"? If the answer is "noone does" then I say we scrap GS2 and do a new thing based on GSS-API channel binding semantics and no security layers. If the answer is "some do" (e.g., Simon), then I think we may want a light-weight GS2 option, for use when no security layers are desired. > However, I only plan to implement GS2 if it provides value above the GSSAPI > mechanism -- that means it's only worth implementing to me if there are > clients that support the combination of GS2, Kerberos 5 and SSL/TLS channel > bindings. OK. To be sure there exist plenty of protocols that use both, TLS and SASL. What doesn't necessarily exist is support for extracting channel bindings from TLS libraries. > I would personally have no problem implementing an all-binary SCRAM > regardless of how ugly the ASN.1 and binary encoding happens to be (it just > requires more lines of parsing code since I have to include all the > binary->text logic for debugging). However, textual protocols are easier > to debug, easier to understand and thus easier to deploy. I'd be concerned > about the real-world deployability of an all-binary SCRAM. Well, ciphertext and MACs won't look like text... Password-based SASL mechs with channel binding would make relatively little use of crypto on the wire -- just some HMACs. So you might be able to get your wish. Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0TKpuTu023068 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Jan 2008 13:51:56 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0TKpula023067; Tue, 29 Jan 2008 13:51:56 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from brmea-mail-4.sun.com (brmea-mail-4.Sun.COM [192.18.98.36]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0TKpr7q023054 for <ietf-sasl@imc.org>; Tue, 29 Jan 2008 13:51:54 -0700 (MST) (envelope-from Chris.Newman@Sun.COM) Received: from fe-amer-09.sun.com ([192.18.109.79]) by brmea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m0TKpr8K014838 for <ietf-sasl@imc.org>; Tue, 29 Jan 2008 20:51:53 GMT Received: from conversion-daemon.mail-amer.sun.com by mail-amer.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) id <0JVF00A01AZALL00@mail-amer.sun.com> (original mail from Chris.Newman@Sun.COM) for ietf-sasl@imc.org; Tue, 29 Jan 2008 13:51:53 -0700 (MST) Received: from [10.0.191.236] ([129.150.16.192]) by mail-amer.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) with ESMTPSA id <0JVF008XXB9JZ360@mail-amer.sun.com>; Tue, 29 Jan 2008 13:51:47 -0700 (MST) Date: Tue, 29 Jan 2008 12:16:36 -0700 From: Chris Newman <Chris.Newman@Sun.COM> Subject: Re: Holding gs2 In-reply-to: <20080128155952.GZ12865@Sun.COM> To: Nicolas Williams <Nicolas.Williams@Sun.COM>, Alexey Melnikov <alexey.melnikov@isode.com> Cc: Simon Josefsson <simon@josefsson.org>, Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org Message-id: <A700A598DE5875E9C792C999@nifty-silver.local> MIME-version: 1.0 X-Mailer: Mulberry/4.0.8 (Mac OS X) Content-type: text/plain; format=flowed; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline References: <tslzlv55mon.fsf@mit.edu> <87bq7hx536.fsf@mocca.josefsson.org> <tslk5m2ep8f.fsf@mit.edu> <87myqxnc8b.fsf@mocca.josefsson.org> <479CCD23.4050600@isode.com> <20080128155952.GZ12865@Sun.COM> Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Nicolas Williams wrote on 1/28/08 9:59 -0600: > Sam is proposing SASL mechanisms that support channel binding but not > any security layers, which effectively changes the semantics of channel > binding that we had assumed/concluded we wanted. This change can > greatly simplify the design of future SASL mechanisms, and it can > greatly simplify the design of a SASL/GSS bridge for GSS mechanisms that > support channel binding. Speaking as a technical participant only... As a SASL implementer, it is my current intention to not implement the "security layer" feature of SASL. If I implement GS2, my implementation will always negotiate the GS2 security layer off and will use SSL/TLS channel bindings if there's any reasonable way I can get that working with the Mozilla/NSS library. However, I only plan to implement GS2 if it provides value above the GSSAPI mechanism -- that means it's only worth implementing to me if there are clients that support the combination of GS2, Kerberos 5 and SSL/TLS channel bindings. I would personally have no problem implementing an all-binary SCRAM regardless of how ugly the ASN.1 and binary encoding happens to be (it just requires more lines of parsing code since I have to include all the binary->text logic for debugging). However, textual protocols are easier to debug, easier to understand and thus easier to deploy. I'd be concerned about the real-world deployability of an all-binary SCRAM. - Chris Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0SNTPtq006665 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 28 Jan 2008 16:29:25 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0SNTPfd006664; Mon, 28 Jan 2008 16:29:25 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from brmea-mail-3.sun.com (brmea-mail-3.Sun.COM [192.18.98.34]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0SNTOl5006657 for <ietf-sasl@imc.org>; Mon, 28 Jan 2008 16:29:24 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-02.central.sun.com ([129.147.62.5]) by brmea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m0SNTNZD023050 for <ietf-sasl@imc.org>; Mon, 28 Jan 2008 23:29:23 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id m0SNTNUB036758 for <ietf-sasl@imc.org>; Mon, 28 Jan 2008 16:29:23 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m0SNTN37014910; Mon, 28 Jan 2008 17:29:23 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m0SNTMYg014909; Mon, 28 Jan 2008 17:29:22 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Mon, 28 Jan 2008 17:29:22 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Simon Josefsson <simon@josefsson.org> Cc: Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org Subject: Re: What am I waiting on for gs2? Message-ID: <20080128232922.GQ12865@Sun.COM> Mail-Followup-To: Simon Josefsson <simon@josefsson.org>, Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org References: <tslir3njs54.fsf@mit.edu> <87tzn6lcw9.fsf@mocca.josefsson.org> <tslprxufnqk.fsf@mit.edu> <tslk5o04vw3.fsf@mit.edu> <87bq8ltq45.fsf@mocca.josefsson.org> <tsld4t1iero.fsf@mit.edu> <87hcidia0t.fsf@mocca.josefsson.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87hcidia0t.fsf@mocca.josefsson.org> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> I support this change as well, modulo the what-do-we-do-about-Sam's- comment thread. We may still decide to make more changes to gs2. What would gs2 with an option to support channel-binding-but-no-sec- layers mechanisms? I think the packet format would change from this: 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | / / GSS_Init_sec_context or / / GSS_Accept_sec_context token, / / of given length / / --------------------/ / ---------------------/ / /--------------------/ / / Optional GSS_Wrap token / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ to this for the initial one (and, if we want to simplify the spec, for all of them): 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |<gss-channel-binding-in-use>[<authzid>] | / --------------------/ / ---------------------/ / /--------------------/ / | / / GSS_Init_sec_context or / / GSS_Accept_sec_context token, / / of given length / / --------------------/ / ---------------------/ / /--------------------/ / / Optional GSS_Wrap token / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Where, if gss-channel-binding-in-use == TRUE then <authzid> is present and the optional GSS_Wrap token is absent on this and all subsequent context token exchange packets. If gss-channel-binding-in-use == FALSE then everything is just as it used to be. If gss-channel-binding-in-use == TRUE then the client and the server MUST both construct the GSS-API channel bindings from the actual channel bindings passed in by the application and the authzid as well. Channel binding failure is critical in the GSS-API, so if channel binding fails then SASL authentication fails. gss-channel-binding-in-use can be a single octet, and authzid can be NUL-terminated UTF-8. The packet marshalling and unmarshalling is easy then. And the channel bindings can be the NUL-terminated authzid in UTF-8 with the actual channel bindings appended. Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0SMWKrN001701 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 28 Jan 2008 15:32:20 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0SMWKBx001700; Mon, 28 Jan 2008 15:32:20 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from chokecherry.srv.cs.cmu.edu (CHOKECHERRY.SRV.CS.CMU.EDU [128.2.185.41]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0SMWGLa001684 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Mon, 28 Jan 2008 15:32:19 -0700 (MST) (envelope-from jhutz@cmu.edu) Received: from SIRIUS.FAC.CS.CMU.EDU (SIRIUS.FAC.CS.CMU.EDU [128.2.209.170]) (authenticated bits=0) by chokecherry.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id m0SMW030008185 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 28 Jan 2008 17:32:14 -0500 (EST) Date: Mon, 28 Jan 2008 17:32:00 -0500 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: Simon Josefsson <simon@josefsson.org>, Sam Hartman <hartmans-ietf@mit.edu> cc: ietf-sasl@imc.org, jhutz@cmu.edu Subject: Re: What am I waiting on for gs2? Message-ID: <B53945E6A056DF72340F5D95@sirius.fac.cs.cmu.edu> In-Reply-To: <87hcidia0t.fsf@mocca.josefsson.org> References: <tslir3njs54.fsf@mit.edu> <87tzn6lcw9.fsf@mocca.josefsson.org> <tslprxufnqk.fsf@mit.edu> <tslk5o04vw3.fsf@mit.edu> <87bq8ltq45.fsf@mocca.josefsson.org> <tsld4t1iero.fsf@mit.edu> <87hcidia0t.fsf@mocca.josefsson.org> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> --On Thursday, December 20, 2007 05:52:18 PM +0100 Simon Josefsson <simon@josefsson.org> wrote: > I support the change below. Others? I support the addition of a security layer bit to indicate channel binding negotiation failed, as described in the change in question. However, the diff you provided also makes a second change, whose effect is to number bits with bit '0' being the least-significant bit rather than the most-significant bit, as is the convention used in the RFC Series. Please see ID-Checklist section 2.1 item 9, and draft-rfc-editor-rfc2223bis-08.txt section 3.4. -- Jeff Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0SG08eD066380 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 28 Jan 2008 09:00:09 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0SG08rw066379; Mon, 28 Jan 2008 09:00:08 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from sca-ea-mail-2.sun.com (sca-ea-mail-2.Sun.COM [192.18.43.25]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0SFxwvL066313 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for <ietf-sasl@imc.org>; Mon, 28 Jan 2008 08:59:58 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id m0SFxviH009706 for <ietf-sasl@imc.org>; Mon, 28 Jan 2008 15:59:57 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id m0SFxvKS028747 for <ietf-sasl@imc.org>; Mon, 28 Jan 2008 08:59:57 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m0SFxr77014529; Mon, 28 Jan 2008 09:59:53 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m0SFxq2I014528; Mon, 28 Jan 2008 09:59:52 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Mon, 28 Jan 2008 09:59:52 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Alexey Melnikov <alexey.melnikov@isode.com> Cc: Simon Josefsson <simon@josefsson.org>, Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org Subject: Re: Holding gs2 Message-ID: <20080128155952.GZ12865@Sun.COM> Mail-Followup-To: Alexey Melnikov <alexey.melnikov@isode.com>, Simon Josefsson <simon@josefsson.org>, Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org References: <tslzlv55mon.fsf@mit.edu> <87bq7hx536.fsf@mocca.josefsson.org> <tslk5m2ep8f.fsf@mit.edu> <87myqxnc8b.fsf@mocca.josefsson.org> <479CCD23.4050600@isode.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <479CCD23.4050600@isode.com> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Sun, Jan 27, 2008 at 06:27:47PM +0000, Alexey Melnikov wrote: > I consider reduction of round-trips as the main goal of GS2. But it doesn't quite meet that goal. It can cost an extra half round-trip for some mechanisms, IIRC. (If your krb5 mech initiator implementation doesn't support PORT_READY then it can even cost you an extra half round-trip when using krb5.) (Of course, channel binding alone can cost you an extra half round-trip -- think of krb5 w/o mutual authentication: to add channel binding you must do mutual auth, which means 1 round-trip instead of half.) However, Sam's objection is not about round-trips, but about complexity for implementors who wish SASL mechanisms but not GSS mechanisms: the gs2 approach forces them to implement MIC tokens. Sam is proposing SASL mechanisms that support channel binding but not any security layers, which effectively changes the semantics of channel binding that we had assumed/concluded we wanted. This change can greatly simplify the design of future SASL mechanisms, and it can greatly simplify the design of a SASL/GSS bridge for GSS mechanisms that support channel binding. > How about publishing GS2 as Experimental RFC and move it (or replace it, > if errors are found) to Standard Track once we have some implementation > experience? We could say that the channel binding semantics that gs2 provides are experimental... Or we could do (2b) as I suggested, and maybe profile gs2 for simple, channel-binding-but-no-security-layers SASL mechanisms. Or we could pursue the latter as a separate thing altoghether and separately describe a SASL/GSS bridge (gs2 extensions or gs3) with the same properties. I haven't yet thought enough about which approach will get us there faster. If we agree that we don't need any new SASL mechs to provide security layers, and that we don't care for GSS mechanisms that don't support channel binding, then we can even abandon gs2 and go for gs3 with a much simpler design (using GSS-API channel bindings to do the channel binding work and to protect the authzid -- no MIC tokens needed). > >If I recall correctly, the use-case of hybrid SASL and GSS-API > >mechanisms was established after we decided to do GS2. Sam and I had been wanting a SASL/GSS bridge for a long time, and we wanted channel binding to be a primary feature. Sam now suggests that we selected a channel binding semantic that was too complicated. Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0SACNTg033614 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 28 Jan 2008 03:12:23 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0SACNCo033613; Mon, 28 Jan 2008 03:12:23 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0SACMFr033605 for <ietf-sasl@imc.org>; Mon, 28 Jan 2008 03:12:22 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [172.16.1.99] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <R52qdwAMkLUb@rufus.isode.com>; Mon, 28 Jan 2008 10:12:10 +0000 Message-ID: <479CCE70.3050808@isode.com> Date: Sun, 27 Jan 2008 18:33:20 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Nicolas Williams <Nicolas.Williams@sun.com> CC: Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org Subject: Re: Holding gs2 References: <tslzlv55mon.fsf@mit.edu> <20080125152157.GH12183@Sun.COM> In-Reply-To: <20080125152157.GH12183@Sun.COM> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Nicolas Williams wrote: >OK, I've been thinking about this. > >I think we should: > >1) Formalize what a SASL mechanism that supports channel binding is. > > This would be an update of RFC4322. > > [...] >2) Decide whether we want: > > a) a new SASL/GSS framework which does not support security layers, > and which can be described in terms of GSS-API mechanisms that > support channel binding, > > or > > b) extend GS2 to do (a) but within the existing GS2 framework. > > Let's say that (2b) means having a long-form GS2 message exchange > for some mechanisms or uses of them, and a short-form GS2 message > exchange for others. > > c) We may also decided that we want to pursue a simple GSS-API > extension to always support GS2 short-form message exchanges where > GSS-API frameworks and mechanisms support that simple extension. > > This simple extension would consist, I think, of a new req_flag, > GSS_C_CHANNEL_BINDING_REQ, for GSS_Init_sec_context() and two new > ret_flags for GSS_Init_sec_context() and GSS_Accept_sec_context(). > The req_flag would indicate that the caller wants to know if: a) > channel binding is supported by the mechanism, b) this extension > is supported, c) whether channel binding succeeds. > > When this req_flag is used and the initiator and acceptor > framework and mechanism support this extension then a) channel > binding failure does not result in context establishment failuer, > b) the new ret_flags are set as follows: GSS_C_CHANNEL_NOT_BOUND > is set if channel binding failed, else GSS_C_CHANNEL_BOUND is set. > > [...] >I propose that we adopt (1) and (2b) as the simplest, yet general >solutions. > >New, pure SASL mechanisms that provide channel binding but no security >layers can then be described that: a) need not be GSS-API mechanisms, b) >can nonetheless be implemented as SASL/GS2 mechanisms, and c) sport the >short-form message exchange. > > Agreed. I am all in favor of (1). Regarding various (2) choices: I prefer 2b or 2c. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0SACGfA033593 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 28 Jan 2008 03:12:16 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0SACG90033592; Mon, 28 Jan 2008 03:12:16 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0SACEJ6033583 for <ietf-sasl@imc.org>; Mon, 28 Jan 2008 03:12:14 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [172.16.1.99] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <R52qdAAMkKka@rufus.isode.com>; Mon, 28 Jan 2008 10:12:07 +0000 Message-ID: <479CCD23.4050600@isode.com> Date: Sun, 27 Jan 2008 18:27:47 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Simon Josefsson <simon@josefsson.org> CC: Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org Subject: Re: Holding gs2 References: <tslzlv55mon.fsf@mit.edu> <87bq7hx536.fsf@mocca.josefsson.org> <tslk5m2ep8f.fsf@mit.edu> <87myqxnc8b.fsf@mocca.josefsson.org> In-Reply-To: <87myqxnc8b.fsf@mocca.josefsson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Simon Josefsson wrote: >Sam Hartman <hartmans-ietf@mit.edu> writes: > > >>>>>>>"Simon" == Simon Josefsson <simon@josefsson.org> writes: >>>>>>> >>>>>>> >> Simon> Sam Hartman <hartmans-ietf@mit.edu> writes: >> >> I have a question for the SASL working group. With the >> >> exception of the question I brought up about optimal round >> Simon> I fear this would delay GS2 implementations for Kerberos >> Simon> V5, which would give us useful feedback on other aspects of >> Simon> the document. >> >> I have to admit that I share some of the concerns raised by Steve. I think it would be nice to go through SCRAM-as-GSS-API-mechanism exercise before publishing GS2. However I do understand that delaying GS2 because of SCRAM might not be fair for people who want to try implement GS2. >>Are there any implementers of SASL or Kerberos stacks who plan to delay? >> >> >I have started to implement GS2 twice to test the Kerberos V5 reduced >round-trip mode. The protocol kept changing, even after passing WGLC, >so I postponed those efforts pending a stable draft. I recently planned >to resume work on GS2 during February, but this discussion suggests to >me that I need to wait longer. Publishing GS2, with the limited >applicability for Kerberos would move my effort forward. > >I'd be interested in understanding how other implementers think about >this too. > > I [still] plan to implement GS2 once it is stable. But I am unlikely to be quicker than you in doing that, due to other commitments. >I don't see why having three mechanisms to do the same is problematic. >Ok, it does lead to complexity, but supposedly the complexity is >_required_ in order to solve some identified problem. GS2 solves the >identified problem of unnecessary many round-trips compared to Kerberos >V5 via GSS-API. If we don't consider that a valid problem, we should >say that GS2 should not be used with Kerberos V5 at all, > I consider reduction of round-trips as the main goal of GS2. >and instead say >that users should use GSS-API for this. That approach would take away >all the complexity for Kerberos in GS2. If we go this route, I would >support delaying publication of GS2 until we have specifications of the >GSS-API mechanisms that were designed with GS2 in mind. > > How about publishing GS2 as Experimental RFC and move it (or replace it, if errors are found) to Standard Track once we have some implementation experience? >If I recall correctly, the use-case of hybrid SASL and GSS-API >mechanisms was established after we decided to do GS2. > > Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0SACBdb033576 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 28 Jan 2008 03:12:11 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0SACBbT033575; Mon, 28 Jan 2008 03:12:11 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0SAC5s5033555 for <ietf-sasl@imc.org>; Mon, 28 Jan 2008 03:12:10 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [172.16.1.99] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <R52qbAAMkKYY@rufus.isode.com>; Mon, 28 Jan 2008 10:12:01 +0000 Message-ID: <479CCA3A.5010702@isode.com> Date: Sun, 27 Jan 2008 18:15:22 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Simon Josefsson <simon@josefsson.org> CC: Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org Subject: Re: What am I waiting on for gs2? References: <tslir3njs54.fsf@mit.edu> <87tzn6lcw9.fsf@mocca.josefsson.org> <tslprxufnqk.fsf@mit.edu> <tslk5o04vw3.fsf@mit.edu> <87bq8ltq45.fsf@mocca.josefsson.org> <tsld4t1iero.fsf@mit.edu> <87hcidia0t.fsf@mocca.josefsson.org> In-Reply-To: <87hcidia0t.fsf@mocca.josefsson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Simon Josefsson wrote: >Sam Hartman <hartmans-ietf@mit.edu> writes: > > >>However if the WG doesn't have consensus behind this change then it >>should be backed out. >> >I support the change below. Others? > > I support it as well. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0PFM025031723 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 25 Jan 2008 08:22:00 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0PFM09A031722; Fri, 25 Jan 2008 08:22:00 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0PFLxBK031715 for <ietf-sasl@imc.org>; Fri, 25 Jan 2008 08:22:00 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m0PFLxmZ013785 for <ietf-sasl@imc.org>; Fri, 25 Jan 2008 15:21:59 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id m0PFLwPW018066 for <ietf-sasl@imc.org>; Fri, 25 Jan 2008 08:21:58 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m0PFLwhQ012744; Fri, 25 Jan 2008 09:21:58 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m0PFLvbr012743; Fri, 25 Jan 2008 09:21:57 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Fri, 25 Jan 2008 09:21:57 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Sam Hartman <hartmans-ietf@mit.edu> Cc: ietf-sasl@imc.org Subject: Re: Holding gs2 Message-ID: <20080125152157.GH12183@Sun.COM> Mail-Followup-To: Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org References: <tslzlv55mon.fsf@mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <tslzlv55mon.fsf@mit.edu> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> OK, I've been thinking about this. I think we should: 1) Formalize what a SASL mechanism that supports channel binding is. This would be an update of RFC4322. SASL mechanisms that support channel binding are SASL mechanisms whose client and server init/step functions take the following additional input parameters: - channel binding - security layers to be negotiated if channel binding succeeds and which perform the channel binding operation as part of the mechanism's authentication exchanges. The security layers selected will be either the regular security layers as provided through the traditional inputs to these functions (if channel binding fails), or the second set of security layers input described above (if channel binding succeeds). This should suffice as guidance for anyone designing new SASL mechanisms that support channel binding. With a minor tweak such mechanisms can also be based on what I will call GS3 below. Before I go on to (2) below, note that a SASL/GSS framework for GSS-API mechanisms that support channel binding but where the framework will NOT support any security layers is trivial: no MIC tokens are needed, instead the client sends its initial token and authzid, with authzid || channel bindings as the GSS channel bindings, and thereafter it's a normal, framed GSS-API context token exchange. 2) Decide whether we want: a) a new SASL/GSS framework which does not support security layers, and which can be described in terms of GSS-API mechanisms that support channel binding, or b) extend GS2 to do (a) but within the existing GS2 framework. Let's say that (2b) means having a long-form GS2 message exchange for some mechanisms or uses of them, and a short-form GS2 message exchange for others. c) We may also decided that we want to pursue a simple GSS-API extension to always support GS2 short-form message exchanges where GSS-API frameworks and mechanisms support that simple extension. This simple extension would consist, I think, of a new req_flag, GSS_C_CHANNEL_BINDING_REQ, for GSS_Init_sec_context() and two new ret_flags for GSS_Init_sec_context() and GSS_Accept_sec_context(). The req_flag would indicate that the caller wants to know if: a) channel binding is supported by the mechanism, b) this extension is supported, c) whether channel binding succeeds. When this req_flag is used and the initiator and acceptor framework and mechanism support this extension then a) channel binding failure does not result in context establishment failuer, b) the new ret_flags are set as follows: GSS_C_CHANNEL_NOT_BOUND is set if channel binding failed, else GSS_C_CHANNEL_BOUND is set. Let's consider (2b). If the application requests no security layers in the channel binding failure and success cases then: i) channel binding failure -> mechanism failure; ii) because of (i) the GSS-API channel semantics will match the SASL mechanism's channel binding semantics, therefore GS2 can use GSS-API channel bindings and dispense with the MIC token exchanges (i.e., GS2 short-form message exchange). If the application requests different security layers in the channel binding success and failure cases then GS2 must use the long-form message exchange. Let's consider (2a). This would look just like the GS2 short-form message exchange described above, but would have a different SASL mechanism name prefix than GS2. Let's consider (2c). In this case GS2 can automatically select which of the short-form and long-form message exchanges to execute based on the capabilities of the GSS-API framework and mechanism (on both, the initiator and acceptor sides). I propose that we adopt (1) and (2b) as the simplest, yet general solutions. New, pure SASL mechanisms that provide channel binding but no security layers can then be described that: a) need not be GSS-API mechanisms, b) can nonetheless be implemented as SASL/GS2 mechanisms, and c) sport the short-form message exchange. New, pure SASL mechanisms that provide channel binding and optional security layers will require the GS2 long-form message exchange (with MIC tokens) when the application wishes to use security layers in the case of channel binding failure, but will use the short form when the applications requests no security layers in either case. (1) and (2a) would be OK, of course. (1) and (2c) would be the most general solution, but I wouldn't blame the WG for not biting! Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0MFvQPY062628 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 22 Jan 2008 08:57:26 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0MFvQKJ062627; Tue, 22 Jan 2008 08:57:26 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from brmea-mail-3.sun.com (brmea-mail-3.Sun.COM [192.18.98.34]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0MFvOpF062619 for <ietf-sasl@imc.org>; Tue, 22 Jan 2008 08:57:25 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-01.central.sun.com ([129.147.62.4]) by brmea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m0MFvOE8003969 for <ietf-sasl@imc.org>; Tue, 22 Jan 2008 15:57:24 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id m0MFvOQq036474 for <ietf-sasl@imc.org>; Tue, 22 Jan 2008 08:57:24 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m0MFvOWo009753; Tue, 22 Jan 2008 09:57:24 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m0MFvNR3009752; Tue, 22 Jan 2008 09:57:23 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Tue, 22 Jan 2008 09:57:23 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Sam Hartman <hartmans-ietf@mit.edu> Cc: Jeffrey Hutzelman <jhutz@cmu.edu>, Simon Josefsson <simon@josefsson.org>, ietf-sasl@imc.org Subject: Re: Holding gs2 Message-ID: <20080122155723.GC6591@Sun.COM> Mail-Followup-To: Sam Hartman <hartmans-ietf@mit.edu>, Jeffrey Hutzelman <jhutz@cmu.edu>, Simon Josefsson <simon@josefsson.org>, ietf-sasl@imc.org References: <tslzlv55mon.fsf@mit.edu> <87bq7hx536.fsf@mocca.josefsson.org> <tslk5m2ep8f.fsf@mit.edu> <20080122040031.GZ6591@Sun.COM> <61ED870A8B45BAFFA96FEBEA@atlantis.pc.cs.cmu.edu> <tslbq7e9f4n.fsf@mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <tslbq7e9f4n.fsf@mit.edu> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Tue, Jan 22, 2008 at 08:14:16AM -0500, Sam Hartman wrote: > So, no I'm not convinced we know that gs2 can meet our needs. Of > course with my leave, we have a month before GS2 could progress > anyway. It would be really great if people could actually do the work > of specifying the mechanism for GS2 during that month. ^^^^^^^^^^^^^^^^^^^^^ Which mechanism? Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0MErI2L055523 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 22 Jan 2008 07:53:18 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0MErIJR055522; Tue, 22 Jan 2008 07:53:18 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa.extundo.com (yxa.extundo.com [83.241.177.38]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0MErFDi055506 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Tue, 22 Jan 2008 07:53:17 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id m0MEr8fs006485 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 22 Jan 2008 15:53:09 +0100 From: Simon Josefsson <simon@josefsson.org> To: Sam Hartman <hartmans-ietf@mit.edu> Cc: ietf-sasl@imc.org Subject: Re: Holding gs2 In-Reply-To: <tslk5m2ep8f.fsf@mit.edu> (Sam Hartman's message of "Mon, 21 Jan 2008 18:24:48 -0500") References: <tslzlv55mon.fsf@mit.edu> <87bq7hx536.fsf@mocca.josefsson.org> <tslk5m2ep8f.fsf@mit.edu> User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:080122:hartmans-ietf@mit.edu::MZgBpqgHzeJtyCR2:0wi/ X-Hashcash: 1:22:080122:ietf-sasl@imc.org::8LliPiDqRUtJfVdZ:Zn7s Date: Tue, 22 Jan 2008 15:53:08 +0100 Message-ID: <87myqxnc8b.fsf@mocca.josefsson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-0.0 required=4.0 tests=SPF_PASS autolearn=disabled version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on yxa-iv X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Sam Hartman <hartmans-ietf@mit.edu> writes: >>>>>> "Simon" == Simon Josefsson <simon@josefsson.org> writes: > > Simon> Sam Hartman <hartmans-ietf@mit.edu> writes: > >> I have a question for the SASL working group. With the > >> exception of the question I brought up about optimal round > Simon> I fear this would delay GS2 implementations for Kerberos > Simon> V5, which would give us useful feedback on other aspects of > Simon> the document. > > Are there any implementers of SASL or Kerberos stacks who plan to delay? I have started to implement GS2 twice to test the Kerberos V5 reduced round-trip mode. The protocol kept changing, even after passing WGLC, so I postponed those efforts pending a stable draft. I recently planned to resume work on GS2 during February, but this discussion suggests to me that I need to wait longer. Publishing GS2, with the limited applicability for Kerberos would move my effort forward. I'd be interested in understanding how other implementers think about this too. I don't see why having three mechanisms to do the same is problematic. Ok, it does lead to complexity, but supposedly the complexity is _required_ in order to solve some identified problem. GS2 solves the identified problem of unnecessary many round-trips compared to Kerberos V5 via GSS-API. If we don't consider that a valid problem, we should say that GS2 should not be used with Kerberos V5 at all, and instead say that users should use GSS-API for this. That approach would take away all the complexity for Kerberos in GS2. If we go this route, I would support delaying publication of GS2 until we have specifications of the GSS-API mechanisms that were designed with GS2 in mind. If I recall correctly, the use-case of hybrid SASL and GSS-API mechanisms was established after we decided to do GS2. /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0MDEMpx045238 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 22 Jan 2008 06:14:22 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0MDEM65045237; Tue, 22 Jan 2008 06:14:22 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0MDEK2S045231 for <ietf-sasl@imc.org>; Tue, 22 Jan 2008 06:14:21 -0700 (MST) (envelope-from hartmans@mit.edu) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 2849EC400B; Tue, 22 Jan 2008 08:14:16 -0500 (EST) From: Sam Hartman <hartmans-ietf@mit.edu> To: Jeffrey Hutzelman <jhutz@cmu.edu> Cc: Nicolas Williams <Nicolas.Williams@sun.com>, Simon Josefsson <simon@josefsson.org>, ietf-sasl@imc.org Subject: Re: Holding gs2 References: <tslzlv55mon.fsf@mit.edu> <87bq7hx536.fsf@mocca.josefsson.org> <tslk5m2ep8f.fsf@mit.edu> <20080122040031.GZ6591@Sun.COM> <61ED870A8B45BAFFA96FEBEA@atlantis.pc.cs.cmu.edu> Date: Tue, 22 Jan 2008 08:14:16 -0500 In-Reply-To: <61ED870A8B45BAFFA96FEBEA@atlantis.pc.cs.cmu.edu> (Jeffrey Hutzelman's message of "Mon, 21 Jan 2008 23:35:32 -0500") Message-ID: <tslbq7e9f4n.fsf@mit.edu> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> >>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz@cmu.edu> writes: Jeffrey> The main drawback to this approach is that it means GS2 Jeffrey> can be used only with GSS-API mechanisms for which such Jeffrey> an AS exists. That's fine if the only mechanisms are Jeffrey> standards-track base mechanisms, but things start to get Jeffrey> hairy if we want to allow for the use of stackable Jeffrey> mechanisms or of privately-defined mechanisms. Of Jeffrey> course, whoever defines a private mechanism could also Jeffrey> specify GS2's applicability to that mechanism, at least Jeffrey> for anyone for which it matters. I consider this a very significant drawback. Jeffrey> All of that being said, it seems that maybe we're Jeffrey> worrying too much. Last I knew we had an effort underway Jeffrey> which it was hoped would produce a non-Kerberos GS2 Jeffrey> mechanism. Whether that actually materializes or not, I Jeffrey> think we have basically worked out what it needs to look Jeffrey> like to work with GS2. Do we believe that is not Jeffrey> sufficient to demonstrate that GS2 can successfully be I am unconvinced we understand how to apply GS2 to mechanisms beyond kerberos in a manner such that those mechanisms can easily be coded as pure sasl mechanisms. I'm concerned about unnecessary optional exchanges and complicated control flow. I suspect that Chris and others will not like the result if using gs2 complicates the potential control flows, adds variable round trips, etc. So, no I'm not convinced we know that gs2 can meet our needs. Of course with my leave, we have a month before GS2 could progress anyway. It would be really great if people could actually do the work of specifying the mechanism for GS2 during that month. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0M4ZbVi099699 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 Jan 2008 21:35:37 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0M4ZbN9099698; Mon, 21 Jan 2008 21:35:37 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from jackfruit.srv.cs.cmu.edu (JACKFRUIT.SRV.CS.CMU.EDU [128.2.201.16]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0M4ZZ36099691 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Mon, 21 Jan 2008 21:35:36 -0700 (MST) (envelope-from jhutz@cmu.edu) Received: from atlantis.pc.cs.cmu.edu (ATLANTIS-HOME.PC.CS.CMU.EDU [128.2.200.132]) (authenticated bits=0) by jackfruit.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id m0M4ZWhu007831 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 Jan 2008 23:35:33 -0500 (EST) Date: Mon, 21 Jan 2008 23:35:32 -0500 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: Nicolas Williams <Nicolas.Williams@sun.com>, Sam Hartman <hartmans-ietf@mit.edu> cc: Simon Josefsson <simon@josefsson.org>, ietf-sasl@imc.org, jhutz@cmu.edu Subject: Re: Holding gs2 Message-ID: <61ED870A8B45BAFFA96FEBEA@atlantis.pc.cs.cmu.edu> In-Reply-To: <20080122040031.GZ6591@Sun.COM> References: <tslzlv55mon.fsf@mit.edu> <87bq7hx536.fsf@mocca.josefsson.org> <tslk5m2ep8f.fsf@mit.edu> <20080122040031.GZ6591@Sun.COM> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> --On Monday, January 21, 2008 10:00:31 PM -0600 Nicolas Williams <Nicolas.Williams@sun.com> wrote: > - additional mechanisms based on GS2 can be published as trivial RFCs > (requiring IESG protocol action) I started out agreeing with Sam that limiting GS2 to Kerberos and starting over again with "GS3" or whatever was a bad idea, for several reasons. However, the more I think about this, the more I think that it might not actually be necessary to have a fully generic bridge that can be applied to any mechanism. The original goal in doing so was to make sure that it would be possible to use SASL not only with existing GSS-API mechanisms but also with any new ones that happened to come along. Achieving that goal does not require universal applicability for GS2. All that is required is that when a new GSS-API mechanism is produced which is intended to be used with GSS-API, an applicability statement is published (possibly in the same document as the new mechanism) which describes GS2's applicability to the new mechanism. The main drawback to this approach is that it means GS2 can be used only with GSS-API mechanisms for which such an AS exists. That's fine if the only mechanisms are standards-track base mechanisms, but things start to get hairy if we want to allow for the use of stackable mechanisms or of privately-defined mechanisms. Of course, whoever defines a private mechanism could also specify GS2's applicability to that mechanism, at least for anyone for which it matters. All of that being said, it seems that maybe we're worrying too much. Last I knew we had an effort underway which it was hoped would produce a non-Kerberos GS2 mechanism. Whether that actually materializes or not, I think we have basically worked out what it needs to look like to work with GS2. Do we believe that is not sufficient to demonstrate that GS2 can successfully be applied to mechanisms beyond Kerberos? -- Jeff Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0M40aeN097318 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 Jan 2008 21:00:36 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0M40aW4097317; Mon, 21 Jan 2008 21:00:36 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from brmea-mail-3.sun.com (brmea-mail-3.Sun.COM [192.18.98.34]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0M40XfV097306 for <ietf-sasl@imc.org>; Mon, 21 Jan 2008 21:00:33 -0700 (MST) (envelope-from Nicolas.Williams@sun.com) Received: from dm-central-01.central.sun.com ([129.147.62.4]) by brmea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m0M40W3X021100 for <ietf-sasl@imc.org>; Tue, 22 Jan 2008 04:00:32 GMT Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id m0M40WA1042595 for <ietf-sasl@imc.org>; Mon, 21 Jan 2008 21:00:32 -0700 (MST) Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m0M40WjC009546; Mon, 21 Jan 2008 22:00:32 -0600 (CST) Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m0M40VlF009545; Mon, 21 Jan 2008 22:00:31 -0600 (CST) X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f Date: Mon, 21 Jan 2008 22:00:31 -0600 From: Nicolas Williams <Nicolas.Williams@sun.com> To: Sam Hartman <hartmans-ietf@mit.edu> Cc: Simon Josefsson <simon@josefsson.org>, ietf-sasl@imc.org Subject: Re: Holding gs2 Message-ID: <20080122040031.GZ6591@Sun.COM> Mail-Followup-To: Sam Hartman <hartmans-ietf@mit.edu>, Simon Josefsson <simon@josefsson.org>, ietf-sasl@imc.org References: <tslzlv55mon.fsf@mit.edu> <87bq7hx536.fsf@mocca.josefsson.org> <tslk5m2ep8f.fsf@mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <tslk5m2ep8f.fsf@mit.edu> User-Agent: Mutt/1.5.7i Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> On Mon, Jan 21, 2008 at 06:24:48PM -0500, Sam Hartman wrote: > Simon> How about a compromise: publish GS2 soon but specify that > Simon> it is ONLY to be used with Kerberos V5, i.e., the > Simon> GS2-QLJHGJLWNPLMQRNK mechanism. [...] Sam> I think this is a really bad idea. It could get us into a situation Sam> where we have three standards for kerberos and SASL. Or where we have Sam> mechanisms that you should not use with GS2 other than negotiation Sam> mechanisms. That seems like a bad idea to me. Well, you opened the can when you suggested delaying publication in the first place... :/ I seem to recall you (and others) wishing we could achieve channel binding [and security layer negotiation] in fewer messages, which we could do and still have a SASL/GSS bridge if we spent the time on suitable GSS-API extensions or if we'd abandanded the SASL/GSS bridge idea. Were you indirectly suggesting this when you wrote this: Sam> > [...]. I just think it would be better to Sam> > hold that document until we get a mechanism that is both a GSS and Sam> > SASL mechanism or we conclude that doesn't work for us. ? While I agree with the sentiment, if we have implementors who would ship an implementation in less time than it would take us to re-design GS2, then I think it's just too late. There are good reasons why we went with this design, and we were aware of the trade-offs then. What, if anything, has changed to warrant re-designing GS2? If we really must then I'd offer the following compromise, similar to Simon's: - update RFC4422 to add a normative description of GS2 channel binding semantics (actually, we should do this anyways!) - limit GS2 to the Kerberos V mechanism - additional mechanisms based on GS2 can be published as trivial RFCs (requiring IESG protocol action) - additional mechanisms with GS2 channel binding semantics but fewer messages can also be published, perhaps as a GS3 if we suitably extend the GSS-API, or else not generalized (except for the update to RFC4422, see above). If we ever decide that GS2 is good enough then we can update it to say that any GSS-API mechanism (except SPNEGO...) can be used as a GS2 mechanism without further IESG protocol action. But first I'd like to see whether, given our AD's doubts, we have WG consensus to do anything other than forward GS2 to the IESG as is. Then, if we decide to not forward it as it, we can see if we have consensus for Sam's approach or Simon's, or something else. Nico -- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0LNOtY2072825 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 Jan 2008 16:24:56 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0LNOtJK072824; Mon, 21 Jan 2008 16:24:55 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0LNOppO072814 for <ietf-sasl@imc.org>; Mon, 21 Jan 2008 16:24:53 -0700 (MST) (envelope-from hartmans@mit.edu) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 246E44817; Mon, 21 Jan 2008 18:24:48 -0500 (EST) From: Sam Hartman <hartmans-ietf@mit.edu> To: Simon Josefsson <simon@josefsson.org> Cc: ietf-sasl@imc.org Subject: Re: Holding gs2 References: <tslzlv55mon.fsf@mit.edu> <87bq7hx536.fsf@mocca.josefsson.org> Date: Mon, 21 Jan 2008 18:24:48 -0500 In-Reply-To: <87bq7hx536.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Sat, 19 Jan 2008 15:28:13 +0100") Message-ID: <tslk5m2ep8f.fsf@mit.edu> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> >>>>> "Simon" == Simon Josefsson <simon@josefsson.org> writes: Simon> Sam Hartman <hartmans-ietf@mit.edu> writes: >> I have a question for the SASL working group. With the >> exception of the question I brought up about optimal round Simon> I fear this would delay GS2 implementations for Kerberos Simon> V5, which would give us useful feedback on other aspects of Simon> the document. Are there any implementers of SASL or Kerberos stacks who plan to delay? Simon> How about a compromise: publish GS2 soon but specify that Simon> it is ONLY to be used with Kerberos V5, i.e., the Simon> GS2-QLJHGJLWNPLMQRNK mechanism. This will lead to Simon> implementation experience for this particular use of GS2, Simon> while making it possible to make changes that are relevant Simon> for non-Kerberos mechanisms, when such experience has Simon> established itself. I think this is a really bad idea. It could get us into a situation where we have three standards for kerberos and SASL. Or where we have mechanisms that you should not use with GS2 other than negotiation mechanisms. That seems like a bad idea to me. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0JEe9Xs033185 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 19 Jan 2008 07:40:10 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0JEe9Cl033184; Sat, 19 Jan 2008 07:40:09 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa.extundo.com (yxa.extundo.com [83.241.177.38]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0JEe5Rn033174 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Sat, 19 Jan 2008 07:40:08 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id m0JEdsJZ016291 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 19 Jan 2008 15:39:57 +0100 From: Simon Josefsson <simon@josefsson.org> To: Tom Yu <tlyu@MIT.EDU> Cc: ietf-sasl@imc.org Subject: Re: IETF70 SASL summary References: <ldvtzmvoccc.fsf@cathode-dark-space.mit.edu> <87sl2eu3h4.fsf@mocca.josefsson.org> <ldvejcyv5np.fsf@cathode-dark-space.mit.edu> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:080119:ietf-sasl@imc.org::n9S/09jc2AB5qnwJ:3evX X-Hashcash: 1:22:080119:tlyu@mit.edu::bJG081sXgQPCEdHt:Dl1s Date: Sat, 19 Jan 2008 15:39:53 +0100 In-Reply-To: <ldvejcyv5np.fsf@cathode-dark-space.mit.edu> (Tom Yu's message of "Thu, 03 Jan 2008 18:41:14 -0500") Message-ID: <8763xpx4jq.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-0.0 required=4.0 tests=SPF_PASS autolearn=disabled version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on yxa-iv X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Tom Yu <tlyu@MIT.EDU> writes: >>>>>> "Simon" == Simon Josefsson <simon@josefsson.org> writes: > > Simon> Tom Yu <tlyu@MIT.EDU> writes: >>> Simon Josefsson has indicated he is not interested in purusing his >>> password-based mech draft at this time > > Simon> Just to clarify: I will pursue the draft (implementing it now, the draft > Simon> will change a lot), but due to lack of interest (I haven't seen any > Simon> feedback), it won't include the SASL/GS2 mappings. The document will be > Simon> a strict password-based GSS-API mechanism. > > Do you intend for the SASL WG to continue considering this document, > or are you going to pursue it in Kitten rather than in SASL? Also, I > believe that during SASL charter discussion, we had agreement that the > WG will attempt to produce a password-based mechanism that is a valid > GS2 mechanism, so there is interest in a mechanism that is valid both > as a GSS-API mechanism and as a SASL mechanism. > > If you do intend for it to continue to be considered within SASL, I > would like to make sure that people have adequately considered it in > the context of our password-based mech charter goal. I did intend for my proposal to be considered by the SASL WG, see: http://article.gmane.org/gmane.ietf.kitten/1291 Whether the work is actually done in the SASL WG, the Kitten WG, or elsewhere, seems less important to me. Alas, I haven't had much time to improve the document since my initial post of it, though. What I need is a secure GSS-API mechanism for password authentication; using it under GS2 was a secondary goal. I may have missed them, but are there any other concrete proposals for password based GSS-API mechanisms? /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0JESWjC032160 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 19 Jan 2008 07:28:32 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0JESWZK032159; Sat, 19 Jan 2008 07:28:32 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa.extundo.com (yxa.extundo.com [83.241.177.38]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0JESSQY032149 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Sat, 19 Jan 2008 07:28:31 -0700 (MST) (envelope-from simon@josefsson.org) Received: from mocca.josefsson.org (yxa.extundo.com [83.241.177.38]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id m0JESD76014919 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 19 Jan 2008 15:28:17 +0100 From: Simon Josefsson <simon@josefsson.org> To: Sam Hartman <hartmans-ietf@mit.edu> Cc: ietf-sasl@imc.org Subject: Re: Holding gs2 References: <tslzlv55mon.fsf@mit.edu> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:080119:hartmans-ietf@mit.edu::CPK6J+7T+i8bmheH:40qZ X-Hashcash: 1:22:080119:ietf-sasl@imc.org::t4532ivw9oEk5qZ6:IjQN Date: Sat, 19 Jan 2008 15:28:13 +0100 In-Reply-To: <tslzlv55mon.fsf@mit.edu> (Sam Hartman's message of "Wed, 16 Jan 2008 19:18:48 -0500") Message-ID: <87bq7hx536.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-0.0 required=4.0 tests=SPF_PASS autolearn=disabled version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on yxa-iv X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Status: Clean Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Sam Hartman <hartmans-ietf@mit.edu> writes: > I have a question for the SASL working group. With the exception of > the question I brought up about optimal round trips, GS2 seems ready > to last call. > > > However I'd like to ask the WG to consider whether it really wants to send GS2 on its way now. > > I think it may be better to hold GS2 until we get experience with a > SASL+GSS mechanism. I'd hate for that effort to fail because we are > unable to make some small change in GS2. > > If the WG believes that sending GS2 on its way now is the best thing > to do I (or my successor) can send it to ietf last call after we > finish discussion on my comments. I just think it would be better to > hold that document until we get a mechanism that is both a GSS and > SASL mechanism or we conclude that doesn't work for us. I fear this would delay GS2 implementations for Kerberos V5, which would give us useful feedback on other aspects of the document. How about a compromise: publish GS2 soon but specify that it is ONLY to be used with Kerberos V5, i.e., the GS2-QLJHGJLWNPLMQRNK mechanism. This will lead to implementation experience for this particular use of GS2, while making it possible to make changes that are relevant for non-Kerberos mechanisms, when such experience has established itself. The GS2 document could later be updated with the fixes needed for non-Kerberos V5 mechanisms, and say that a bunch of other SASL mechanisms names are now permitted. I think how GS2 will work with Kerberos V5 is well understood, since it has been the only practical example to think about when we designed GS2. So if there mistakes relevant to Kerberos V5 in GS2, I don't believe we can hope to find them without implementation feedback at this stage. The only problem would be if we need to change something in GS2 that would affect how Kerberos V5 exchanges behave. That would be interesting. If that happens, as a worst scenario, it is always possible to call the revised protocol GS3 and have it say that if you use Kerberos V5, you need to use GS2-* instead. Unless there are security issues in GS2, then we would need to revise it anyway, in possible backwards incompatible ways. What do people think? /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0H0IoiB038624 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 16 Jan 2008 17:18:50 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0H0Io8s038623; Wed, 16 Jan 2008 17:18:50 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0H0InVR038616 for <ietf-sasl@imc.org>; Wed, 16 Jan 2008 17:18:50 -0700 (MST) (envelope-from hartmans@mit.edu) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 998D84817; Wed, 16 Jan 2008 19:18:48 -0500 (EST) From: Sam Hartman <hartmans-ietf@mit.edu> To: ietf-sasl@imc.org Subject: Holding gs2 Date: Wed, 16 Jan 2008 19:18:48 -0500 Message-ID: <tslzlv55mon.fsf@mit.edu> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> I have a question for the SASL working group. With the exception of the question I brought up about optimal round trips, GS2 seems ready to last call. However I'd like to ask the WG to consider whether it really wants to send GS2 on its way now. I think it may be better to hold GS2 until we get experience with a SASL+GSS mechanism. I'd hate for that effort to fail because we are unable to make some small change in GS2. If the WG believes that sending GS2 on its way now is the best thing to do I (or my successor) can send it to ietf last call after we finish discussion on my comments. I just think it would be better to hold that document until we get a mechanism that is both a GSS and SASL mechanism or we conclude that doesn't work for us. --Sam Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0465s14014093 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 3 Jan 2008 23:05:54 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m0465sRr014092; Thu, 3 Jan 2008 23:05:54 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m0465q8G014085 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Thu, 3 Jan 2008 23:05:53 -0700 (MST) (envelope-from tlyu@MIT.EDU) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id m0465oKE017513 for <ietf-sasl@imc.org>; Fri, 4 Jan 2008 01:05:51 -0500 (EST) Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id m0465o4c003861 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <ietf-sasl@imc.org>; Fri, 4 Jan 2008 01:05:50 -0500 (EST) Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id m0465oWI014441; Fri, 4 Jan 2008 01:05:50 -0500 (EST) To: ietf-sasl@imc.org Subject: draft SASL IETF70 minutes uploaded From: Tom Yu <tlyu@MIT.EDU> Date: Fri, 04 Jan 2008 01:05:50 -0500 Message-ID: <ldvhchuf7lt.fsf@cathode-dark-space.mit.edu> Lines: 2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Scanned-By: MIMEDefang 2.42 X-Spam-Flag: NO X-Spam-Score: 0.00 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> I've uploaded draft SASL WG session minutes for IETF70 to the meeting materials site. Please reply with corrections, etc. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m03NfISP090149 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 3 Jan 2008 16:41:18 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m03NfI3h090148; Thu, 3 Jan 2008 16:41:18 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m03NfGTg090141 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Thu, 3 Jan 2008 16:41:17 -0700 (MST) (envelope-from tlyu@MIT.EDU) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id m03NfFqq010345; Thu, 3 Jan 2008 18:41:15 -0500 (EST) Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id m03NfELE022279 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 3 Jan 2008 18:41:15 -0500 (EST) Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id m03NfEvw013101; Thu, 3 Jan 2008 18:41:14 -0500 (EST) To: Simon Josefsson <simon@josefsson.org> Cc: ietf-sasl@imc.org Subject: Re: IETF70 SASL summary References: <ldvtzmvoccc.fsf@cathode-dark-space.mit.edu> <87sl2eu3h4.fsf@mocca.josefsson.org> From: Tom Yu <tlyu@MIT.EDU> Date: Thu, 03 Jan 2008 18:41:14 -0500 In-Reply-To: <87sl2eu3h4.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Fri, 07 Dec 2007 12:52:07 +0100") Message-ID: <ldvejcyv5np.fsf@cathode-dark-space.mit.edu> Lines: 23 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Scanned-By: MIMEDefang 2.42 X-Spam-Flag: NO X-Spam-Score: 0.00 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> >>>>> "Simon" == Simon Josefsson <simon@josefsson.org> writes: Simon> Tom Yu <tlyu@MIT.EDU> writes: >> Simon Josefsson has indicated he is not interested in purusing his >> password-based mech draft at this time Simon> Just to clarify: I will pursue the draft (implementing it now, the draft Simon> will change a lot), but due to lack of interest (I haven't seen any Simon> feedback), it won't include the SASL/GS2 mappings. The document will be Simon> a strict password-based GSS-API mechanism. Do you intend for the SASL WG to continue considering this document, or are you going to pursue it in Kitten rather than in SASL? Also, I believe that during SASL charter discussion, we had agreement that the WG will attempt to produce a password-based mechanism that is a valid GS2 mechanism, so there is interest in a mechanism that is valid both as a GSS-API mechanism and as a SASL mechanism. If you do intend for it to continue to be considered within SASL, I would like to make sure that people have adequately considered it in the context of our password-based mech charter goal. ---Tom Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m03NCsMC088436 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 3 Jan 2008 16:12:54 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m03NCsY9088435; Thu, 3 Jan 2008 16:12:54 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m03NCqqx088425 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Thu, 3 Jan 2008 16:12:53 -0700 (MST) (envelope-from tlyu@MIT.EDU) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id m03NCmfH029465; Thu, 3 Jan 2008 18:12:49 -0500 (EST) Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id m03NClKP017896 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 3 Jan 2008 18:12:48 -0500 (EST) Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id m03NClDN012962; Thu, 3 Jan 2008 18:12:47 -0500 (EST) To: Alexey Melnikov <alexey.melnikov@isode.com> Cc: ietf-sasl@imc.org Subject: Re: new milestones for charter update References: <ldvfxxzoouv.fsf@cathode-dark-space.mit.edu> <476AD3F5.9020400@isode.com> From: Tom Yu <tlyu@MIT.EDU> Date: Thu, 03 Jan 2008 18:12:47 -0500 In-Reply-To: <476AD3F5.9020400@isode.com> (Alexey Melnikov's message of "Thu, 20 Dec 2007 20:43:33 +0000") Message-ID: <ldvprwiv6z4.fsf@cathode-dark-space.mit.edu> Lines: 12 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Scanned-By: MIMEDefang 2.42 X-Spam-Flag: NO X-Spam-Score: 0.00 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> >>>>> "Alexey" == Alexey Melnikov <alexey.melnikov@isode.com> writes: Alexey> But I would really like to have more or less solid SCRAM Alexey> document before we obsolete DIGEST-MD5. How solid does the DIGEST-MD5 successor document need to be? Does anyone else believe that we should delay publication of digest-to-historic until we have a solid document for the DIGEST-MD5 successor? I would prefer to not introduce more dependencies than absolutely necessary. ---Tom
- SCRAM and YAP Nicolas Williams
- Re: SCRAM and YAP Philip Guenther
- Re: SCRAM and YAP Nicolas Williams
- Re: SCRAM and YAP Nicolas Williams