Re: ABNF for the three cases of SCRAM as GS2
Hallvard B Furuseth <h.b.furuseth@usit.uio.no> Sat, 31 January 2009 21:26 UTC
Return-Path: <owner-ietf-sasl@mail.imc.org>
X-Original-To: ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com
Delivered-To: ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 091783A684F for <ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com>; Sat, 31 Jan 2009 13:26:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[AWL=-0.048, BAYES_00=-2.599, J_CHICKENPOX_44=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hsrNjP-nCGiF for <ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com>; Sat, 31 Jan 2009 13:26:57 -0800 (PST)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id D6E363A67E9 for <sasl-archive-Zoh8yoh9@ietf.org>; Sat, 31 Jan 2009 13:26:56 -0800 (PST)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VLCZaJ058515 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 31 Jan 2009 14:12:35 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0VLCZ9B058514; Sat, 31 Jan 2009 14:12:35 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f
Received: from mail-out1.uio.no (mail-out1.uio.no [129.240.10.57]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VLCMmB058482 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Sat, 31 Jan 2009 14:12:34 -0700 (MST) (envelope-from hbf@bombur.uio.no)
Received: from mail-mx3.uio.no ([129.240.10.44]) by mail-out1.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LTN8X-00035u-Qr; Sat, 31 Jan 2009 22:12:21 +0100
Received: from bombur.uio.no ([129.240.6.233]) by mail-mx3.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LTN8X-0004gg-J9; Sat, 31 Jan 2009 22:12:21 +0100
Received: from hbf by bombur.uio.no with local (Exim 4.44) id 1LTN8X-0000qC-Al; Sat, 31 Jan 2009 22:12:21 +0100
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <hbf.20090131ondy@bombur.uio.no>
Date: Sat, 31 Jan 2009 22:12:21 +0100
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: ietf-sasl@imc.org
Subject: Re: ABNF for the three cases of SCRAM as GS2
In-Reply-To: <49843BCA.9070403@isode.com>
References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <49843BCA.9070403@isode.com>
X-Mailer: VM 7.18 under Emacs 22.2.1
X-UiO-Spam-info: not spam, SpamAssassin (score=-5.0, required=5.0, autolearn=disabled, UIO_MAIL_IS_INTERNAL=-5, uiobl=NO, uiouri=NO)
X-UiO-Scanned: 7B87E9E412763C1CC388E4B081AE21A588DF108C
X-UiO-SPAM-Test: remote_host: 129.240.6.233 spam_score: -49 maxlevel 200 minaction 2 bait 0 mail/h: 1 total 1361 max/h 8 blacklist 0 greylist 0 ratelimit 0
Sender: owner-ietf-sasl@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-ID: <ietf-sasl.imc.org>
List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Alexey Melnikov wrote: >Hallvard B Furuseth wrote: >>> 1.1. Terminology >>> Some clarifications and additional definitions follow: >>> >> What's a server-authorized proxy? > > An entity authorized by the server to act on its behalf. I am not sure > this needs to be spelled out? To clarify my request for clarification, I'm not sure what these points in the intro are saying, even with your explanation: - The server does not gain the ability to impersonate the client to other servers (with an exception for server-authorized proxies). - The mechanism permits the use of a server-authorized proxy without requiring that proxy to have super-user rights with the back-end server. Where does this proxy sit, and how does this proxy auth work? If both server and proxy needs to see the scram-auth the user, I assume that would break if the channel binding field is present. If they don't, then one trusts the other to tell it the user's identity, which I suppose is what you mean by super-user privileges. Or can one of them watch the auth performed by the other, and verify that it is valid? Unless the draft is just saying that SCRAM supports the SASL authorization identity field and servers must do some internal auth magic to make use of that. >> Also, how does an iteration count of more than 1 help on a site where >> passwords are stored in several forms anyway, maybe including salted MD5 >> for Unix crypt()? (Maybe that's for Appendix B or C, I don't know.) > > My understanding is that one can read values from hashed password files > and use them to implement server side SCRAM. > There is no requirement that SCRAM specific hash be stored in such files. That sounds strange, unless you are talking about a weakness which can be attacked. The password-file secret would be salt, Hash(salt || password) while even with iteration count 0, SCRAM SaltedPassword is Hash((password XOR opad) || Hash((password XOR ipad) || salt || INT(1))) In any case, if there is a mapping MD5 crypt -> SCRAM crypt, that just makes the iteration count less useful as far as I can see. -- Hallvard Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VLCZaJ058515 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 31 Jan 2009 14:12:35 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0VLCZ9B058514; Sat, 31 Jan 2009 14:12:35 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from mail-out1.uio.no (mail-out1.uio.no [129.240.10.57]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VLCMmB058482 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Sat, 31 Jan 2009 14:12:34 -0700 (MST) (envelope-from hbf@bombur.uio.no) Received: from mail-mx3.uio.no ([129.240.10.44]) by mail-out1.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LTN8X-00035u-Qr; Sat, 31 Jan 2009 22:12:21 +0100 Received: from bombur.uio.no ([129.240.6.233]) by mail-mx3.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LTN8X-0004gg-J9; Sat, 31 Jan 2009 22:12:21 +0100 Received: from hbf by bombur.uio.no with local (Exim 4.44) id 1LTN8X-0000qC-Al; Sat, 31 Jan 2009 22:12:21 +0100 From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <hbf.20090131ondy@bombur.uio.no> Date: Sat, 31 Jan 2009 22:12:21 +0100 To: Alexey Melnikov <alexey.melnikov@isode.com> Cc: ietf-sasl@imc.org Subject: Re: ABNF for the three cases of SCRAM as GS2 In-Reply-To: <49843BCA.9070403@isode.com> References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <49843BCA.9070403@isode.com> X-Mailer: VM 7.18 under Emacs 22.2.1 X-UiO-Spam-info: not spam, SpamAssassin (score=-5.0, required=5.0, autolearn=disabled, UIO_MAIL_IS_INTERNAL=-5, uiobl=NO, uiouri=NO) X-UiO-Scanned: 7B87E9E412763C1CC388E4B081AE21A588DF108C X-UiO-SPAM-Test: remote_host: 129.240.6.233 spam_score: -49 maxlevel 200 minaction 2 bait 0 mail/h: 1 total 1361 max/h 8 blacklist 0 greylist 0 ratelimit 0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Alexey Melnikov wrote: >Hallvard B Furuseth wrote: >>> 1.1. Terminology >>> Some clarifications and additional definitions follow: >>> >> What's a server-authorized proxy? > > An entity authorized by the server to act on its behalf. I am not sure > this needs to be spelled out? To clarify my request for clarification, I'm not sure what these points in the intro are saying, even with your explanation: - The server does not gain the ability to impersonate the client to other servers (with an exception for server-authorized proxies). - The mechanism permits the use of a server-authorized proxy without requiring that proxy to have super-user rights with the back-end server. Where does this proxy sit, and how does this proxy auth work? If both server and proxy needs to see the scram-auth the user, I assume that would break if the channel binding field is present. If they don't, then one trusts the other to tell it the user's identity, which I suppose is what you mean by super-user privileges. Or can one of them watch the auth performed by the other, and verify that it is valid? Unless the draft is just saying that SCRAM supports the SASL authorization identity field and servers must do some internal auth magic to make use of that. >> Also, how does an iteration count of more than 1 help on a site where >> passwords are stored in several forms anyway, maybe including salted MD5 >> for Unix crypt()? (Maybe that's for Appendix B or C, I don't know.) > > My understanding is that one can read values from hashed password files > and use them to implement server side SCRAM. > There is no requirement that SCRAM specific hash be stored in such files. That sounds strange, unless you are talking about a weakness which can be attacked. The password-file secret would be salt, Hash(salt || password) while even with iteration count 0, SCRAM SaltedPassword is Hash((password XOR opad) || Hash((password XOR ipad) || salt || INT(1))) In any case, if there is a mapping MD5 crypt -> SCRAM crypt, that just makes the iteration count less useful as far as I can see. -- Hallvard Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VCnQwY039418 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 31 Jan 2009 05:49:26 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0VCnQZU039417; Sat, 31 Jan 2009 05:49:26 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VCnOAV039410 for <ietf-sasl@imc.org>; Sat, 31 Jan 2009 05:49:25 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [92.40.46.168] (92.40.46.168.sub.mbb.three.co.uk [92.40.46.168]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SYRI0AB0lAAs@rufus.isode.com>; Sat, 31 Jan 2009 12:49:22 +0000 Message-ID: <498448A9.7020401@isode.com> Date: Sat, 31 Jan 2009 12:48:41 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> CC: Jeffrey Hutzelman <jhutz@cmu.edu>, ietf-sasl@imc.org Subject: Re: SCRAM notes References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> <hbf.20090127zhou@bombur.uio.no> <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> <hbf.20090127b3t4@bombur.uio.no> <497F8CEA.5020706@isode.com> <hbf.20090128hs8q@bombur.uio.no> In-Reply-To: <hbf.20090128hs8q@bombur.uio.no> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Hallvard B Furuseth wrote: >Alexey Melnikov writes: > > [...] >>Arguably if p= moves to the front of the >>final-client-message-without-proof, then the has would still be easy to >>extract, but it would require extra memcopy, or some other thing. >> >> >Yes, the trade-off is whether it should be easy to parse or easy to >construct. Generally parsing is the less trivial and thus most >bug-prone task, which is why I suggested putting it at the front. > >BTW, this is also why I like the grammar with fixed placement of >fields. Even if it seems simple enough, IIRC the opposite approach >was one of the sources of bugs people mentioned for DIGEST-MD5. > > Yes, this is a good point. (Note, that despite that I haven't made my own decision yet) >>>Then the client immediately knows where to find it, and it can happily >>>ignore all fields from optional extensions to the end of the message. >>> >>> >>I am not sure it buys that much. Other opinions? >> >I just came up with one myself: One could not compute ClientSignature >and ServerSignature while sending the message, so one must construct the >entire message in memory before sending. Not sure how much of an >objection that is though. > > I don't think this matters even for small devices, as SCRAM messages are not going to be big. What is more important is to allow for easy/fast implementations, for example to allow a single buffer to be used. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VCjOat039216 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 31 Jan 2009 05:45:24 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0VCjO0f039215; Sat, 31 Jan 2009 05:45:24 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VCjN6x039208 for <ietf-sasl@imc.org>; Sat, 31 Jan 2009 05:45:23 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [92.40.46.168] (92.40.46.168.sub.mbb.three.co.uk [92.40.46.168]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SYRH4QB0lAj4@rufus.isode.com>; Sat, 31 Jan 2009 12:45:22 +0000 Message-ID: <498447BB.8090306@isode.com> Date: Sat, 31 Jan 2009 12:44:43 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> CC: Jeffrey Hutzelman <jhutz@cmu.edu>, ietf-sasl@imc.org Subject: Re: SCRAM notes References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> <hbf.20090127zhou@bombur.uio.no> <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> <hbf.20090127b3t4@bombur.uio.no> <497F8CEA.5020706@isode.com> <hbf.20090128hs8q@bombur.uio.no> <498446E6.2090606@isode.com> In-Reply-To: <498446E6.2090606@isode.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Alexey Melnikov wrote: > Hallvard B Furuseth wrote: > >> Could you describe a practical example of how you imagine this field >> being defined and used, presumably with one RFC defining it and two >> others using it? Even if you don't want this in the spec, it'd be nice >> to be sure we are somewhere on the same page in this discussion. So far >> we apparently haven't been. > > Well, if this help you understand: one possibility is to define "m" as > containing a list of other attribute that are mandatory. > I.e. if m=xy, then understanding of x=foo and y=bar by the other end > would be required to succeed. To continue this example: m=xy would be the same as m=yx and I also think we should say that the order of extension attributes can be arbitrary. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VCfuqp039011 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 31 Jan 2009 05:41:56 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0VCfuN2039010; Sat, 31 Jan 2009 05:41:56 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VCftLV039004 for <ietf-sasl@imc.org>; Sat, 31 Jan 2009 05:41:56 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [92.40.46.168] (92.40.46.168.sub.mbb.three.co.uk [92.40.46.168]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SYRHDQB0lKHk@rufus.isode.com>; Sat, 31 Jan 2009 12:41:52 +0000 Message-ID: <498446E6.2090606@isode.com> Date: Sat, 31 Jan 2009 12:41:10 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> CC: Jeffrey Hutzelman <jhutz@cmu.edu>, ietf-sasl@imc.org Subject: Re: SCRAM notes References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> <hbf.20090127zhou@bombur.uio.no> <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> <hbf.20090127b3t4@bombur.uio.no> <497F8CEA.5020706@isode.com> <hbf.20090128hs8q@bombur.uio.no> In-Reply-To: <hbf.20090128hs8q@bombur.uio.no> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Hallvard B Furuseth wrote: >Alexey Melnikov writes: > >>Hallvard B Furuseth wrote: >> [...] >>>But now you need to specify that this >>>is how the field is expected to be updated. Not necessarily in that >>>seciont, could go in an appendix. >>> >>> >>Can you please recommend specific text for consideration? >> >> >But I just did, roughly, and Jeffrey said "no no". That was my second >attemt too. My first was the SCRAM "mandatory extensions"? thread, >wich was a total misunderstanding of what was meant. > >But I can make another attempt, stealing a bit from later messages in >this thread: > >* Rename the field and grammar symbol from "mandatory extensions" and > "mandatory-exts" to "reserved". > > I've used "reserved-mext", because "reserved" is an overloaded ABNF non-terminal name. >* description: > - m: This attribute is reserved for future extensibility. > In this version of SCRAM, its presence in a client or a server > message MUST cause authentication failure when the attribute is > parsed by the other end. > Done. >>>>>Hold on. I think that's a bug anyway. The draft should say that auth >>>>>MUST be aborted if a message doesn't match the grammar in Section 6. >>>>> >>>>> >>>>No, we've been over this, and the consensus was that extension fields >>>>should be non-critical; that is, unrecognized extensions are ignored. >>>> >>>Not _mandatory_ extensions, since an older SASL implementation will >>>abort the authentication when it sees "m=". >>> >>> >>I don't understand this comment. >> >> >Nor do I understand Jeffrey's. We were discussing mandatory extensions, >"m=" or a replacement for it. This cannot be ignored, it'll cause a >failure in the current implementation. > Correct. >So how does that square with >"unrecognized extensions are ignored"? > "Unrecognized extension attributes", i.e. attributes not defined in the draft (the inside of <extensions> ABNF production), MUST be ignored. The m= attribute is not unrecognized, as it is defined (even though without a syntax ;-)). >That's the optional extensions >field in the draft. Unless the draft is saying something quite else >than people agreed off-line that it should say - and I'm talking about >the draft while he's talking about that off-line agreement. > > >>Any optional extension goes at the end. >>Any mandatory extension would result in m= being present and can put >>something at the end. >> >> >Yes. Or, I assumed, it could have m=something present and not put >something at the end. > That is another possibility, yes. >Or it could have an optional extensions without >"m=" at the front. > > We can always do that too, assuming the draft is updated to say that unrecognized attributes in unexpected places (such as at the front) MUST be ignored. (Please note that I don't think we have consensus on this change just yet) >But this was an approach I had not thought of. You mean something like, >an RFC puts the actual extension data ",x=foo" at the end, and "m=x," at >the front to tell SCRAM that this particular "x=foo" extension cannot be >ignored? > Yes! >But again, that's just another way to spell out a critical x= extension, >so I don't see how it squares with "consensus was that extension fields >should be non-critical" as an objection to another way to spell out >mandatory extensions. > >Could you describe a practical example of how you imagine this field >being defined and used, presumably with one RFC defining it and two >others using it? Even if you don't want this in the spec, it'd be nice >to be sure we are somewhere on the same page in this discussion. So far >we apparently haven't been. > > Well, if this help you understand: one possibility is to define "m" as containing a list of other attribute that are mandatory. I.e. if m=xy, then understanding of x=foo and y=bar by the other end would be required to succeed. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VC1TR2037660 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 31 Jan 2009 05:01:29 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0VC1TC4037659; Sat, 31 Jan 2009 05:01:29 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VC1SiB037653 for <ietf-sasl@imc.org>; Sat, 31 Jan 2009 05:01:29 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [92.40.46.168] (92.40.46.168.sub.mbb.three.co.uk [92.40.46.168]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SYQ9lgB0lIV5@rufus.isode.com>; Sat, 31 Jan 2009 12:01:27 +0000 Message-ID: <49843D71.7050305@isode.com> Date: Sat, 31 Jan 2009 12:00:49 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> CC: Jeffrey Hutzelman <jhutz@cmu.edu>, ietf-sasl@imc.org Subject: Re: SCRAM notes References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> <hbf.20090127zhou@bombur.uio.no> <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> In-Reply-To: <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Jeffrey Hutzelman wrote: > --On Tuesday, January 27, 2009 07:00:55 PM +0100 Hallvard B Furuseth > <h.b.furuseth@usit.uio.no> wrote: [...] >> Define "correctly". Generate some unneeded SCRAM hashes for each >> password and store them somewhere safe, in anticipation of the day >> when we'll decide to add some extra servers? Or ask all users to >> change passwords because we've added another LDAP server or whatever? > > if you have a bunch of mirror servers providing the same service, > there's really no reason _not_ to use the same salt on all of them. > There's no reason for one LDAP server to impersonate a user to another > in the same pool. Put another way, you may have multiple machines, > but they are providing the same _service_. Agreed. > SCRAM is suited to small environments where it's reasonable to > maintain separate authentication databases for every service, usually > because there is no central infrastructure. If you're trying to set > up enterprise-grade distributed infrastructure, you should start with > an enterprise-grade authentication service. > >> I agree that by itself, the point belongs in Security Considerations. >> My objection is that this point in the Introduction, standing alone, is >> simply false: >> >> - The server does not gain the ability to impersonate the client to >> other servers (with an exception for server-authorized proxies). > > Hm. Maybe. Hallvard, can you please recommend specific changes to the document? Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VBwWlY037539 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 31 Jan 2009 04:58:32 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0VBwWBF037538; Sat, 31 Jan 2009 04:58:32 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VBwVjG037532 for <ietf-sasl@imc.org>; Sat, 31 Jan 2009 04:58:32 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [92.40.46.168] (92.40.46.168.sub.mbb.three.co.uk [92.40.46.168]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SYQ84gB0lEtl@rufus.isode.com>; Sat, 31 Jan 2009 11:58:28 +0000 Message-ID: <49843CBF.3000309@isode.com> Date: Sat, 31 Jan 2009 11:57:51 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> CC: Jeffrey Hutzelman <jhutz@cmu.edu>, ietf-sasl@imc.org Subject: Re: SCRAM notes References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> <hbf.20090127zhou@bombur.uio.no> In-Reply-To: <hbf.20090127zhou@bombur.uio.no> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Hallvard B Furuseth wrote: >[I should have changed the subject. Better late than nenver...] > >Jeffrey Hutzelman writes: > > [...] >>>>1.2. Notation >>>> U0 := HMAC(str, salt || INT(1)) >>>> >>>Make that HMAC(str, (salt || INT(1))) or HMAC((str, salt) || INT(1)). >>> >>Uh, why? It's pretty clear than an HMAC requires two arguments (key and >>message); in fact, that's about three paragraphs above the text you quote. >> >> > >Nothing important. Just a bit easier to read. Or rather, to glance at >without needing to read as far as three paragraphs away. > I actually disagree that adding extra () would add clarity in this case. Besides, I was reusing a concention defined in another RFC. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VBskn0037028 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 31 Jan 2009 04:54:46 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0VBskDu037027; Sat, 31 Jan 2009 04:54:46 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0VBsX5i037014 for <ietf-sasl@imc.org>; Sat, 31 Jan 2009 04:54:44 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [92.40.46.168] (92.40.46.168.sub.mbb.three.co.uk [92.40.46.168]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SYQ78wB0lKxO@rufus.isode.com>; Sat, 31 Jan 2009 11:54:30 +0000 Message-ID: <49843BCA.9070403@isode.com> Date: Sat, 31 Jan 2009 11:53:46 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> CC: ietf-sasl@imc.org Subject: Re: ABNF for the three cases of SCRAM as GS2 References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> In-Reply-To: <hbf.20090127vtyg@bombur.uio.no> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Hallvard B Furuseth wrote: >Alexey Melnikov writes: > >>To clarify: I will produce both the updated (hopefully final) version >>of SCRAM without GS2-related changes, plus another version which >>contains GS2 related ABNF and examples. >> >Likely not final. > I meant in the sense that it would be good enough for the WGLC. >Then your first versions of the "To be written" >appendixes woudl have to pass through with almost no discussion. > >I've been waiting for a more finalized draft (by now, in particular >Appendix B) before doing a careful review, and reposting some concerns >of mine in case the authors just hadn't gotten to them yet. Appendix B >to possibly short-circuit discussion of some other details. But I can >look through the archives and my notes and (re-)post, if you want. > > Yes please. Please don't mention the description of m= again, I will take care of that. Actually, you might hold off till I posted an updated version. >Some old and new points I remember off-hand: > >- Regarding GS2, let me just make a general protest againt the verbose > way the derivation of GS2 names are spelled out in... I don't remember > which mechanism draft(s) at the moment. Just say it has > > "GSS-API mechanism OID: <whatever> > SASL mechanism name: GS2-<whatever> due to [GS2] section 3)" > > Yes, absolutely. [...] >>1.1. Terminology >> Some clarifications and additional definitions follow: >> >What's a server-authorized proxy? > > An entity authorized by the server to act on its behalf. I am not sure this needs to be spelled out? [...] >>5. SCRAM Authentication Exchange >> Servers SHOULD announce a hash iteration-count of at least 128. >> >Why? Different hash algorithms have different strengths and different >costs to compute, thus I'd think this depends on the hash algorithm. > > Yes, I agree with that. So I've moved this sentence to the section talking about various SCRAM attributes and reworded it as: For SCRAM-HMAC-SHA-1 SASL mechanism servers SHOULD announce a hash iteration-count of at least 128. >And, for that matter, on the strength of expected attacks. > > This is just a minimal requirement, deployments can choose bigger values, or, if there is a good reason, smaller values. I would be happy with having any value that the Security Directorate would recommend for HMAC-SHA-1. >Also, how does an iteration count of more than 1 help on a site where >passwords are stored in several forms anyway, maybe including salted MD5 >for Unix crypt()? (Maybe that's for Appendix B or C, I don't know.) > My understanding is that one can read values from hashed password files and use them to implement server side SCRAM. There is no requirement that SCRAM specific hash be stored in such files. >If I remember correctly (and I may not), one problem with the proposed >competing SRP mechanism was the computation cost. How does that compare >with a high SCRAM iteration count? > > I think some tests need to be performed before I can answer this question. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0SGAhXP056389 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Jan 2009 09:10:43 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0SGAh14056388; Wed, 28 Jan 2009 09:10:43 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0SGAV9j056356 for <ietf-sasl@imc.org>; Wed, 28 Jan 2009 09:10:42 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [172.16.2.176] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SYCDdgB0lJ9=@rufus.isode.com>; Wed, 28 Jan 2009 16:10:31 +0000 Message-ID: <49808359.6030003@isode.com> Date: Wed, 28 Jan 2009 16:10:01 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Jeffrey Hutzelman <jhutz@cmu.edu> CC: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>, ietf-sasl@imc.org Subject: Re: SCRAM notes References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> <hbf.20090127zhou@bombur.uio.no> <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> <hbf.20090127b3t4@bombur.uio.no> <497F8CEA.5020706@isode.com> <hbf.20090128hs8q@bombur.uio.no> <ED5B56DECC962D8D94696D42@atlantis.pc.cs.cmu.edu> In-Reply-To: <ED5B56DECC962D8D94696D42@atlantis.pc.cs.cmu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Jeffrey Hutzelman wrote: > --On Wednesday, January 28, 2009 03:01:58 PM +0100 Hallvard B Furuseth > <h.b.furuseth@usit.uio.no> wrote: > >> The second is a set of RCFs which an implementation may pick and >> choose from. This is what I understand with the word "extension". >> An implementation of the 4rd RFC need not even know about the 2nd >> and 3rd, except it must know from the 2nd what to do about "m=". >> >> The first is an ordered sequence of RFCs, each adding to/replacing the >> previous one. An implementation of the 4rd RFC will known about the 2nd >> and 3rd, though it might just know enough to recognize and reject any >> real use of them if that should be necessary. If this is what you are >> talking about, then don't call it "extensions" at all. > > Yes, that's a pretty good description of the distinction I was going > for. The m= field is intended to be a reserved field whose semantics > will be defined by a future protocol update. The _expectation_ is > that said update will define semantics which make it possible for > "extensions" to have critical/mandatory fields. Likely the value of > m= will turn out to be a list of names of other extension fields which > are also mandatory, but we haven't actually said that, and a large > part of the point is to avoid having to nail that down and say it > right now. > > FWIW, I think it's likely that the first time we have an extension > which needs a mandatory field, we'll do it in a single document which > both revises the spec to define how the m= field works _and_ adds an > extension, which I think you allude to above. Agreed. > If you think it's confusing to use the name "mandatory-exts" for the > nonterminal describing the "m=" field, it could be changed. I think > the name is intended to be interpreted in the same vein as the others > around it; "m=" isn't itself a mandatory extension any more than "n=" > is a username. Rather, "m=" contains the list of mandatory extensions > just as "n=" contains the username. > >>>> But now you need to specify that this >>>> is how the field is expected to be updated. Not necessarily in that >>>> seciont, could go in an appendix. >>> >>> Can you please recommend specific text for consideration? >> >> But I just did, roughly, and Jeffrey said "no no". That was my second >> attemt too. > > I think we're converging. It finally looks like that to me too :-). >> My first was the SCRAM "mandatory extensions"? thread, >> wich was a total misunderstanding of what was meant. >> >> But I can make another attempt, stealing a bit from later messages in >> this thread: >> >> * Rename the field and grammar symbol from "mandatory extensions" and >> "mandatory-exts" to "reserved". >> >> * description: >> - m: This attribute is reserved for future extensibility. >> In this version of SCRAM, its presence in a client or a server >> message MUST cause authentication failure when the attribute is >> parsed by the other end. > > Sounds reasonable to me. That is fine with me as well. >>>>>> Hold on. I think that's a bug anyway. The draft should say that >>>>>> auth >>>>>> MUST be aborted if a message doesn't match the grammar in Section 6. >>>>>> >>>>> No, we've been over this, and the consensus was that extension fields >>>>> should be non-critical; that is, unrecognized extensions are ignored. >>>> > Nevermind this. I misinterpreted you; I thought you were suggesting > that all unrecognized fields should be rejected, right after we > updated the document to make it clear that they are allowed. > > Read strictly, the grammar only admits unrecognized fields at the end > of each of several messages, and unrecognized fields elsewhere are > invalid. Right. > I think we need to be much more clear on this point. If we want to > require attributes to be in a particular order, then we need to say > that the sender MUST put them in that order. If we are going to make > use of this fact to put critical extensions at the front, then we also > need to say that the recipient MUST reject messages where they are not > in order. Ok, this sound reasonable. But let me think a bit more about ordering. > I'd much rather stick with m= as the indicator for critical > extensions, and allow receivers to accept messages with the attributes > in any order. Interoperability is better served by "be strict in what > you send, and liberal in what you accept" than by "be strict in what > you send and in what you accept". Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0SEVZv3050272 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Jan 2009 07:31:35 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0SEVZ1J050271; Wed, 28 Jan 2009 07:31:35 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from jackfruit.srv.cs.cmu.edu (JACKFRUIT.SRV.CS.CMU.EDU [128.2.201.16]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0SEVNAD050256 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Wed, 28 Jan 2009 07:31:34 -0700 (MST) (envelope-from jhutz@cmu.edu) Received: from 173-114-124-216.pools.spcsdns.net (ATLANTIS-HOME.PC.CS.CMU.EDU [128.2.184.185]) (authenticated bits=0) by jackfruit.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id n0SEVJDw015903 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Jan 2009 09:31:20 -0500 (EST) Date: Wed, 28 Jan 2009 09:31:19 -0500 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>, Alexey Melnikov <alexey.melnikov@isode.com> cc: ietf-sasl@imc.org, jhutz@cmu.edu Subject: Re: SCRAM notes Message-ID: <ED5B56DECC962D8D94696D42@atlantis.pc.cs.cmu.edu> In-Reply-To: <hbf.20090128hs8q@bombur.uio.no> References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> <hbf.20090127zhou@bombur.uio.no> <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> <hbf.20090127b3t4@bombur.uio.no> <497F8CEA.5020706@isode.com> <hbf.20090128hs8q@bombur.uio.no> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Scanned-By: mimedefang-cmuscs on 128.2.201.16 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> --On Wednesday, January 28, 2009 03:01:58 PM +0100 Hallvard B Furuseth <h.b.furuseth@usit.uio.no> wrote: > The second is a set of RCFs which an implementation may pick and > choose from. This is what I understand with the word "extension". > An implementation of the 4rd RFC need not even know about the 2nd > and 3rd, except it must know from the 2nd what to do about "m=". > > The first is an ordered sequence of RFCs, each adding to/replacing the > previous one. An implementation of the 4rd RFC will known about the 2nd > and 3rd, though it might just know enough to recognize and reject any > real use of them if that should be necessary. If this is what you are > talking about, then don't call it "extensions" at all. Yes, that's a pretty good description of the distinction I was going for. The m= field is intended to be a reserved field whose semantics will be defined by a future protocol update. The _expectation_ is that said update will define semantics which make it possible for "extensions" to have critical/mandatory fields. Likely the value of m= will turn out to be a list of names of other extension fields which are also mandatory, but we haven't actually said that, and a large part of the point is to avoid having to nail that down and say it right now. FWIW, I think it's likely that the first time we have an extension which needs a mandatory field, we'll do it in a single document which both revises the spec to define how the m= field works _and_ adds an extension, which I think you allude to above. If you think it's confusing to use the name "mandatory-exts" for the nonterminal describing the "m=" field, it could be changed. I think the name is intended to be interpreted in the same vein as the others around it; "m=" isn't itself a mandatory extension any more than "n=" is a username. Rather, "m=" contains the list of mandatory extensions just as "n=" contains the username. >>> But now you need to specify that this >>> is how the field is expected to be updated. Not necessarily in that >>> seciont, could go in an appendix. >> >> Can you please recommend specific text for consideration? > > But I just did, roughly, and Jeffrey said "no no". That was my second > attemt too. I think we're converging. > My first was the SCRAM "mandatory extensions"? thread, > wich was a total misunderstanding of what was meant. > > But I can make another attempt, stealing a bit from later messages in > this thread: > > * Rename the field and grammar symbol from "mandatory extensions" and > "mandatory-exts" to "reserved". > > * description: > - m: This attribute is reserved for future extensibility. > In this version of SCRAM, its presence in a client or a server > message MUST cause authentication failure when the attribute is > parsed by the other end. Sounds reasonable to me. >>>>> Hold on. I think that's a bug anyway. The draft should say that auth >>>>> MUST be aborted if a message doesn't match the grammar in Section 6. >>>>> >>>> No, we've been over this, and the consensus was that extension fields >>>> should be non-critical; that is, unrecognized extensions are ignored. Nevermind this. I misinterpreted you; I thought you were suggesting that all unrecognized fields should be rejected, right after we updated the document to make it clear that they are allowed. Read strictly, the grammar only admits unrecognized fields at the end of each of several messages, and unrecognized fields elsewhere are invalid. I think we need to be much more clear on this point. If we want to require attributes to be in a particular order, then we need to say that the sender MUST put them in that order. If we are going to make use of this fact to put critical extensions at the front, then we also need to say that the recipient MUST reject messages where they are not in order. I'd much rather stick with m= as the indicator for critical extensions, and allow receivers to accept messages with the attributes in any order. Interoperability is better served by "be strict in what you send, and liberal in what you accept" than by "be strict in what you send and in what you accept". > I just came up with one myself: One could not compute ClientSignature > and ServerSignature while sending the message, so one must construct the > entire message in memory before sending. Not sure how much of an > objection that is though. I don't think it's a significant one, given the sizes of the messages involved. That said, it seems somehow more aesthetically pleasing to me to keep it at the end. Whatever. -- Jeff Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0SEOJc3049798 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Jan 2009 07:24:19 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0SEOJKW049797; Wed, 28 Jan 2009 07:24:19 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from mail-out1.uio.no (mail-out1.uio.no [129.240.10.57]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0SEOGUX049791 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Wed, 28 Jan 2009 07:24:18 -0700 (MST) (envelope-from hbf@bombur.uio.no) Received: from mail-mx5.uio.no ([129.240.10.46]) by mail-out1.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LSBKv-0004wv-Kp; Wed, 28 Jan 2009 15:24:13 +0100 Received: from bombur.uio.no ([129.240.6.233]) by mail-mx5.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LSBKu-0000Rn-V7; Wed, 28 Jan 2009 15:24:13 +0100 Received: from hbf by bombur.uio.no with local (Exim 4.44) id 1LSBKu-0001OW-Tw; Wed, 28 Jan 2009 15:24:12 +0100 From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <hbf.20090128i6nj@bombur.uio.no> Date: Wed, 28 Jan 2009 15:24:12 +0100 To: Alexey Melnikov <alexey.melnikov@isode.com> cc: Jeffrey Hutzelman <jhutz@cmu.edu>, ietf-sasl@imc.org Subject: Re: SCRAM notes In-Reply-To: <hbf.20090128hs8q@bombur.uio.no> References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> <hbf.20090127zhou@bombur.uio.no> <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> <hbf.20090127b3t4@bombur.uio.no> <497F8CEA.5020706@isode.com> <hbf.20090128hs8q@bombur.uio.no> X-Mailer: VM 7.18 under Emacs 22.2.1 X-UiO-Spam-info: not spam, SpamAssassin (score=-5.0, required=5.0, autolearn=disabled, UIO_MAIL_IS_INTERNAL=-5, uiobl=NO, uiouri=NO) X-UiO-Scanned: E1F48013997FD9749F1A0DC61D096FA282475A52 X-UiO-SPAM-Test: remote_host: 129.240.6.233 spam_score: -49 maxlevel 200 minaction 2 bait 0 mail/h: 2 total 1353 max/h 8 blacklist 0 greylist 0 ratelimit 0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> I wrote: > >>That sounds unproblematic if you are talking about a newer version of > >>the spec which "obsoletes" this one rather than one of several > >>extensions which "updates" it. > >> > > What is the practical difference? > > As Jeffrey pointed out, I've been conflating the RFC process with the > the meaning of what a new RFC does to an old one. However, about > mandatory extensions (as opposed to the optional ones at the end): Argh... no, not mandatory vs. optional extensions. > The second that is, what I called "updating" SCRAM > is a set of RCFs which an implementation may pick and > choose from. This is what I understand with the word "extension". > An implementation of the 4rd RFC need not even know about the 2nd > and 3rd, except it must know from the 2nd what to do about "m=". > > The first I.e. "obsoleting" SCRAM > is an ordered sequence of RFCs, each adding to/replacing the > previous one. An implementation of the 4rd RFC will known about the 2nd > and 3rd, though it might just know enough to recognize and reject any > real use of them if that should be necessary. If this is what you are > talking about, then don't call it "extensions" at all. -- Hallvard Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0SE2GoC048751 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Jan 2009 07:02:16 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0SE2G0j048750; Wed, 28 Jan 2009 07:02:16 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from mail-out1.uio.no (mail-out1.uio.no [129.240.10.57]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0SE21lu048738 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Wed, 28 Jan 2009 07:02:14 -0700 (MST) (envelope-from hbf@bombur.uio.no) Received: from mail-mx2.uio.no ([129.240.10.30]) by mail-out1.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LSAzP-0005Fm-98; Wed, 28 Jan 2009 15:01:59 +0100 Received: from bombur.uio.no ([129.240.6.233]) by mail-mx2.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LSAzO-0000x2-Uq; Wed, 28 Jan 2009 15:01:59 +0100 Received: from hbf by bombur.uio.no with local (Exim 4.44) id 1LSAzO-0001Iz-9y; Wed, 28 Jan 2009 15:01:58 +0100 From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <hbf.20090128hs8q@bombur.uio.no> Date: Wed, 28 Jan 2009 15:01:58 +0100 To: Alexey Melnikov <alexey.melnikov@isode.com> Cc: Jeffrey Hutzelman <jhutz@cmu.edu>, ietf-sasl@imc.org Subject: Re: SCRAM notes In-Reply-To: <497F8CEA.5020706@isode.com> References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> <hbf.20090127zhou@bombur.uio.no> <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> <hbf.20090127b3t4@bombur.uio.no> <497F8CEA.5020706@isode.com> X-Mailer: VM 7.18 under Emacs 22.2.1 X-UiO-Spam-info: not spam, SpamAssassin (score=-5.0, required=5.0, autolearn=disabled, UIO_MAIL_IS_INTERNAL=-5, uiobl=NO, uiouri=NO) X-UiO-Scanned: 6791B8E32DC011084A7101A0B9C63F336AF6606B X-UiO-SPAM-Test: remote_host: 129.240.6.233 spam_score: -49 maxlevel 200 minaction 2 bait 0 mail/h: 1 total 1352 max/h 8 blacklist 0 greylist 0 ratelimit 0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Alexey Melnikov writes: >Hallvard B Furuseth wrote: >>But isn't that what I just said? Except if we are talking of *a* newer >>version of the spec, I think calling it "extensions" is a misnomer. >>Should be something about "reserved" instead. > > In my copy I have the following text: > > - m: Presence of this attribute in a client or a server message MUST cause > authentication failure when the attribute is parsed by the other end. > The purpose of this attribute is to describe list of mandatory extensions > to SCRAM that the other end must support. This attribute is reserved for > future extensibility. > > I think this is quite clear. I thought so too, but apparently I've gotten it wrong several times now - even after Jeffrey's explanations... >>>This is not (yet) an extensibility mechanism; it's a field reserved >>>for use by a later version of the spec. >>> >>That sounds unproblematic if you are talking about a newer version of >>the spec which "obsoletes" this one rather than one of several >>extensions which "updates" it. >> > What is the practical difference? As Jeffrey pointed out, I've been conflating the RFC process with the the meaning of what a new RFC does to an old one. However, about mandatory extensions (as opposed to the optional ones at the end): The second is a set of RCFs which an implementation may pick and choose from. This is what I understand with the word "extension". An implementation of the 4rd RFC need not even know about the 2nd and 3rd, except it must know from the 2nd what to do about "m=". The first is an ordered sequence of RFCs, each adding to/replacing the previous one. An implementation of the 4rd RFC will known about the 2nd and 3rd, though it might just know enough to recognize and reject any real use of them if that should be necessary. If this is what you are talking about, then don't call it "extensions" at all. >>But now you need to specify that this >>is how the field is expected to be updated. Not necessarily in that >>seciont, could go in an appendix. > > Can you please recommend specific text for consideration? But I just did, roughly, and Jeffrey said "no no". That was my second attemt too. My first was the SCRAM "mandatory extensions"? thread, wich was a total misunderstanding of what was meant. But I can make another attempt, stealing a bit from later messages in this thread: * Rename the field and grammar symbol from "mandatory extensions" and "mandatory-exts" to "reserved". * description: - m: This attribute is reserved for future extensibility. In this version of SCRAM, its presence in a client or a server message MUST cause authentication failure when the attribute is parsed by the other end. >>>>Hold on. I think that's a bug anyway. The draft should say that auth >>>>MUST be aborted if a message doesn't match the grammar in Section 6. >>>> >>>No, we've been over this, and the consensus was that extension fields >>>should be non-critical; that is, unrecognized extensions are ignored. >>> >>Not _mandatory_ extensions, since an older SASL implementation will >>abort the authentication when it sees "m=". > > I don't understand this comment. Nor do I understand Jeffrey's. We were discussing mandatory extensions, "m=" or a replacement for it. This cannot be ignored, it'll cause a failure in the current implementation. So how does that square with "unrecognized extensions are ignored"? That's the optional extensions field in the draft. Unless the draft is saying something quite else than people agreed off-line that it should say - and I'm talking about the draft while he's talking about that off-line agreement. > Any optional extension goes at the end. > Any mandatory extension would result in m= being present and can put > something at the end. Yes. Or, I assumed, it could have m=something present and not put something at the end. Or it could have an optional extensions without "m=" at the front. But this was an approach I had not thought of. You mean something like, an RFC puts the actual extension data ",x=foo" at the end, and "m=x," at the front to tell SCRAM that this particular "x=foo" extension cannot be ignored? But again, that's just another way to spell out a critical x= extension, so I don't see how it squares with "consensus was that extension fields should be non-critical" as an objection to another way to spell out mandatory extensions. Could you describe a practical example of how you imagine this field being defined and used, presumably with one RFC defining it and two others using it? Even if you don't want this in the spec, it'd be nice to be sure we are somewhere on the same page in this discussion. So far we apparently haven't been. > (...) >>That's not what the grammar does. It only allows optional extensions >>at the end, except for the wart that "p=" comes after it in the final >>client message. >> >>Maybe it'd be cleaner to put "p=" at the _front_ of that message? >> > Not really. p= is constructed from: > > AuthMessage := client-first-message + "," + > server-first-message + "," + > final-client-message-without-proof > > so it covers everything, including extensions. > One can just strcat() 3 pieces together and calculate hash from them. Yes... > Arguably if p= moves to the front of the > final-client-message-without-proof, then the has would still be easy to > extract, but it would require extra memcopy, or some other thing. Yes, the trade-off is whether it should be easy to parse or easy to construct. Generally parsing is the less trivial and thus most bug-prone task, which is why I suggested putting it at the front. BTW, this is also why I like the grammar with fixed placement of fields. Even if it seems simple enough, IIRC the opposite approach was one of the sources of bugs people mentioned for DIGEST-MD5. >>Then the client immediately knows where to find it, and it can happily >>ignore all fields from optional extensions to the end of the message. >> > I am not sure it buys that much. Other opinions? I just came up with one myself: One could not compute ClientSignature and ServerSignature while sending the message, so one must construct the entire message in memory before sending. Not sure how much of an objection that is though. -- Hallvard Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RNlEO6008491 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 16:47:14 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0RNlE5M008490; Tue, 27 Jan 2009 16:47:14 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RNlDI9008484 for <ietf-sasl@imc.org>; Tue, 27 Jan 2009 16:47:13 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [92.40.94.85] (92.40.94.85.sub.mbb.three.co.uk [92.40.94.85]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SX-c-wB0lJ6L@rufus.isode.com>; Tue, 27 Jan 2009 23:47:10 +0000 Message-ID: <497F9CD4.3070803@isode.com> Date: Tue, 27 Jan 2009 23:46:28 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Jeffrey Hutzelman <jhutz@cmu.edu> CC: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>, ietf-sasl@imc.org Subject: Re: SCRAM notes References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> <hbf.20090127zhou@bombur.uio.no> <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> <hbf.20090127b3t4@bombur.uio.no> <497F8CEA.5020706@isode.com> <9B2A90E85149F328F263E5F7@atlantis.pc.cs.cmu.edu> In-Reply-To: <9B2A90E85149F328F263E5F7@atlantis.pc.cs.cmu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Jeffrey Hutzelman wrote: > --On Tuesday, January 27, 2009 10:38:34 PM +0000 Alexey Melnikov > <alexey.melnikov@isode.com> wrote: > >> In my copy I have the following text: >> >> - m: Presence of this attribute in a client or a server message MUST >> cause >> authentication failure when the attribute is parsed by the other end. >> The purpose of this attribute is to describe list of mandatory >> extensions >> to SCRAM that the other end must support. This attribute is reserved for >> future extensibility. > > I'm not sure if I like the second sentence. That's actually how I > expect this attribute to work, if/when we ever define it, but it would > be a mistake for any implementor to assume any particular syntax or > semantics, or for an extension to assume that it can include a > mandatory attribute under the current spec. Ok, do you want it removed? >>>> This is not (yet) an extensibility mechanism; it's a field reserved >>>> for use by a later version of the spec. >>> >>> That sounds unproblematic if you are talking about a newer version of >>> the spec which "obsoletes" this one rather than one of several >>> extensions which "updates" it. >> >> What is the practical difference? > > Process-wise, the difference between "obsoletes" and "updates" is that > if one document "obsoletes" another, then it is no longer necessary to > refer to the older document, as the new one completely specifies the > new protocol. If one document "updates" another, then it makes > changes which must be read together with the original document to be > meaningful. I know the IETF meaning of these words. I was talking about implementors. In either case an implementor can find the original document using www.rfc-editor.org website. > That's not the distinction we're actually talking about here. We're > talking about the distinction between a document which revises the > base spec, by either updating or obsoleting the document we're > currently discussing, and a document which adds an extension using > some mechanism already provided for that purpose, such as by adding > new attributes in the places reserved in the protocol for that purpose. > > An updated version of the spec can make pretty much any change it > wants, though it is usually preferred to avoid making > backward-incompatible changes. An extension adds to the spec only in > previously-defined ways. > > I believe we envisioned the m= field as something to be redefined by a > future revision to SCRAM. In its present form, it cannot be used by > an extension which does not revise SCRAM. I think you are talking about mechanics of how such hypothetical change can be made. I don't think we should care at the moment. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RN3quG006548 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 16:03:52 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0RN3q30006547; Tue, 27 Jan 2009 16:03:52 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from jackfruit.srv.cs.cmu.edu (JACKFRUIT.SRV.CS.CMU.EDU [128.2.201.16]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RN3eXZ006535 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Tue, 27 Jan 2009 16:03:51 -0700 (MST) (envelope-from jhutz@cmu.edu) Received: from 173-114-124-216.pools.spcsdns.net (173-114-124-216.pools.spcsdns.net [173.114.124.216]) (authenticated bits=0) by jackfruit.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id n0RN3ZgT025770 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 18:03:37 -0500 (EST) Date: Tue, 27 Jan 2009 18:03:35 -0500 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: Alexey Melnikov <alexey.melnikov@isode.com>, Hallvard B Furuseth <h.b.furuseth@usit.uio.no> cc: ietf-sasl@imc.org, jhutz@cmu.edu Subject: Re: SCRAM notes Message-ID: <9B2A90E85149F328F263E5F7@atlantis.pc.cs.cmu.edu> In-Reply-To: <497F8CEA.5020706@isode.com> References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> <hbf.20090127zhou@bombur.uio.no> <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> <hbf.20090127b3t4@bombur.uio.no> <497F8CEA.5020706@isode.com> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Scanned-By: mimedefang-cmuscs on 128.2.201.16 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> --On Tuesday, January 27, 2009 10:38:34 PM +0000 Alexey Melnikov <alexey.melnikov@isode.com> wrote: > In my copy I have the following text: > > - m: Presence of this attribute in a client or a server message MUST cause > authentication failure when the attribute is parsed by the other end. > The purpose of this attribute is to describe list of mandatory extensions > to SCRAM that the other end must support. This attribute is reserved for > future extensibility. I'm not sure if I like the second sentence. That's actually how I expect this attribute to work, if/when we ever define it, but it would be a mistake for any implementor to assume any particular syntax or semantics, or for an extension to assume that it can include a mandatory attribute under the current spec. >>> This is not (yet) an extensibility mechanism; it's a field reserved >>> for use by a later version of the spec. >>> >>> >> That sounds unproblematic if you are talking about a newer version of >> the spec which "obsoletes" this one rather than one of several >> extensions which "updates" it. >> > What is the practical difference? Process-wise, the difference between "obsoletes" and "updates" is that if one document "obsoletes" another, then it is no longer necessary to refer to the older document, as the new one completely specifies the new protocol. If one document "updates" another, then it makes changes which must be read together with the original document to be meaningful. That's not the distinction we're actually talking about here. We're talking about the distinction between a document which revises the base spec, by either updating or obsoleting the document we're currently discussing, and a document which adds an extension using some mechanism already provided for that purpose, such as by adding new attributes in the places reserved in the protocol for that purpose. An updated version of the spec can make pretty much any change it wants, though it is usually preferred to avoid making backward-incompatible changes. An extension adds to the spec only in previously-defined ways. I believe we envisioned the m= field as something to be redefined by a future revision to SCRAM. In its present form, it cannot be used by an extension which does not revise SCRAM. >> But now you need to specify that this >> is how the field is expected to be updated. Not necessarily in that >> seciont, could go in an appendix. >> >> > Can you please recommend specific text for consideration? I don't think any text is required. It's generally accepted that something which is unspecified or reserved is, well, unspecified or reserved, and also that a new document which revises an existing one can make more or less any change. We're doing this the way we are specifically to _avoid_ having to specify anything about the m= field or how it will work. >> I'm quite happy with a required order. Easier to parse, and no need to >> catch and hopefully fail on multiple occurrences of the same field name. Recall the golden rule. It's a well-understood principle that, when possible, we should be liberal in what we accept. Anyone is free to produce an implementation that is strict about this, but as protocol designers, we would be foolish to assume that everyone will do so and to require it for correct operation of the protocol. -- Jeff Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RMdDoo005797 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 15:39:13 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0RMdDMw005796; Tue, 27 Jan 2009 15:39:13 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RMdBul005790 for <ietf-sasl@imc.org>; Tue, 27 Jan 2009 15:39:12 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [92.40.94.85] (92.40.94.85.sub.mbb.three.co.uk [92.40.94.85]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SX-NCwB0lIQu@rufus.isode.com>; Tue, 27 Jan 2009 22:39:09 +0000 Message-ID: <497F8CEA.5020706@isode.com> Date: Tue, 27 Jan 2009 22:38:34 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> CC: Jeffrey Hutzelman <jhutz@cmu.edu>, ietf-sasl@imc.org Subject: Re: SCRAM notes References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> <hbf.20090127zhou@bombur.uio.no> <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> <hbf.20090127b3t4@bombur.uio.no> In-Reply-To: <hbf.20090127b3t4@bombur.uio.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Hallvard B Furuseth wrote: >Jeffrey Hutzelman writes: > > >>--On Tuesday, January 27, 2009 07:00:55 PM +0100 Hallvard B Furuseth >><h.b.furuseth@usit.uio.no> wrote: >> >> >>> "m: Presence of this attribute in a client or a server message MUST >>> cause authentication failure when the attribute is parsed by the >>> other end." >>> >>>Just add something amounting to "...except when it correctly matches an >>>extension the implementation implements", and maybe some words from your >>>description. Then extension documents will no longer need to contradict >>>the original description which says it MUST fail. >>> >>> >>No no. The idea is that it MUST fail unless you are implementing a newer >>version of the spec which defines different behavior. >> >> >But isn't that what I just said? Except if we are talking of *a* newer >version of the spec, I think calling it "extensions" is a misnomer. >Should be something about "reserved" instead. > > In my copy I have the following text: - m: Presence of this attribute in a client or a server message MUST cause authentication failure when the attribute is parsed by the other end. The purpose of this attribute is to describe list of mandatory extensions to SCRAM that the other end must support. This attribute is reserved for future extensibility. I think this is quite clear. >>This is not (yet) an extensibility mechanism; it's a field reserved >>for use by a later version of the spec. >> >> >That sounds unproblematic if you are talking about a newer version of >the spec which "obsoletes" this one rather than one of several >extensions which "updates" it. > What is the practical difference? >But now you need to specify that this >is how the field is expected to be updated. Not necessarily in that >seciont, could go in an appendix. > > Can you please recommend specific text for consideration? >>>Hold on. I think that's a bug anyway. The draft should say that auth >>>MUST be aborted if a message doesn't match the grammar in Section 6. >>> >>> >>No, we've been over this, and the consensus was that extension fields >>should be non-critical; that is, unrecognized extensions are ignored. >> >> >Not _mandatory_ extensions, since an older SASL implementation will >abort the authentication when it sees "m=". > > I don't understand this comment. Any optional extension goes at the end. Any mandatory extension would result in m= being present and can put something at the end. >>This is reflected by the grammar in section 6, which allows arbitrary >>unrecognized name=value pairs in several places. >> >> >Only the optional extensions ("extensions" grammar symbol), which is at >a fixed place in each message. > > >>>That will automatically support the 'm=' definition as it is described >>>now, since an initial unknown field does not match the grammar.. >>>So the draft could support mandatory extensions just by saying extension >>>documents should place them at the beginning. And optional ones can >>>stay at the end, where they are ignored when unrecognized. >>> >>> >>Hrm. That's an interesting approach, and it might even work. But I'm not >>really thrilled with the idea of making the order matter more than it >>already does. The grammar currently describes fields in a particular >>order, but I would expect implementations to accept them in any order in >>practice, and depending on implementations _not_ to do so seems brittle. >>I'm much happier with an field whose criticality is indicated by its name >>rather than by its position. >> >> +1. >I'm quite happy with a required order. Easier to parse, and no need to >catch and hopefully fail on multiple occurrences of the same field name. > >Admittedly order-dependent meaning of extension fields does make me >nervous, but I can't quite come up with a reason. E.g. a client >typo/bug makes the optional 'a' (authzid) field be sent as 'A', so... >it doesn't match the grammar authentication fails. Well, good. >Kudos to whoever wrote that grammar. > > >>>Anyway, these extensions are new to the -07 draft and I don't remember >>>any discussion about them on this list prior to the draft, so I think it >>>must all come from some IETF meeting discussions. (Which is one reason >>>I've been waiting for a more finalized draft, like I said:-) >>> >>> >>They are the result of resolving one of the open questions in -06, which is >>whether unrecognized attribute-value-pairs should be ignored. The answer >>turned out to be "yes, except for this special one, which we reserve for >>future use in defining a critical extension mechanism". >> >> >That's not what the grammar does. It only allows optional extensions >at the end, except for the wart that "p=" comes after it in the final >client message. > >Maybe it'd be cleaner to put "p=" at the _front_ of that message? > > Not really. p= is constructed from: AuthMessage := client-first-message + "," + server-first-message + "," + final-client-message-without-proof so it covers everything, including extensions. One can just strcat() 3 pieces together and calculate hash from them. Arguably if p= moves to the front of the final-client-message-without-proof, then the has would still be easy to extract, but it would require extra memcopy, or some other thing. >Then the client immediately knows where to find it, and it can happily >ignore all fields from optional extensions to the end of the message. > > I am not sure it buys that much. Other opinions? Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RL9BMJ002079 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 14:09:11 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0RL9Bea002078; Tue, 27 Jan 2009 14:09:11 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RL8xfm002060 for <ietf-sasl@imc.org>; Tue, 27 Jan 2009 14:09:10 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [92.40.94.85] (92.40.94.85.sub.mbb.three.co.uk [92.40.94.85]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SX936AB0lBi1@rufus.isode.com>; Tue, 27 Jan 2009 21:08:58 +0000 Message-ID: <497F77CB.6020401@isode.com> Date: Tue, 27 Jan 2009 21:08:27 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> CC: ietf-sasl@imc.org Subject: Re: IANA Hash Function Textual Names vs. SCRAM mechanism names References: <hbf.20090127a1gj@bombur.uio.no> In-Reply-To: <hbf.20090127a1gj@bombur.uio.no> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Hallvard B Furuseth wrote: >Now that I'm looking at SCRAM again (draft-newman-auth-scram-07.txt): > > >>4. SCRAM mechanism names >> >> A SCRAM mechanism name is a string "SCRAM-HMAC-" followed by the >> uppercased name of the underlying hashed function taken from the >> IANA "Hash Function Textual Names" registry. >> >> >Thus SCRAM can only use hash functions with case-insensitive names >of max 9 of the characters [-_0-9A-Z]. See RFC 4422 section 3.1. > > Yes, I've raised this issue myself. >Is there anything to prevent "LongCaseSensitiveName/paramName(value)" >from being registered as a hash function? I don't see anything in RFC >3279 or <http://www.iana.org/assignments/hash-function-text-names/>. > >Should we obsolete RFC 3279 for one which requires somewhat friendlier >names? > > I agree with Jeff that we shouldn't obsolete this RFC. But we can try to put extra restrictions on the registry. >Or do we defer any worry until it happens, > That too. >and register aliases for new >SCRAM-unfriendly names if they arrive? We'd need to keep that option >open anyway: I expect a 9-character limit on IANA hash function names >could be too restrictive, in particular if someone invents and registers >hash function family names. > > Jeffrey Hutzelman wrote: [...] > In practice, I don't think we need to worry about it. New names can > be added to that registry only by standards-track RFC's which update > or replace RFC3279, which is a pretty narrow category requiring fairly > wide review. I don't expect anyone will ever try to define a hash > function name which is deliberately long, invalid, or ambiguous. Agreed. > Note, BTW, that there is no such thing as a "case-insensitive name"; > only case-insensitive treatment of names. Regardless of what case > might be used in registering a hash function name, we can still use it > in a SASL mechanism name, unless/until there are two hash functions > whose registered names differ only in case, which I somehow doubt > would pass the review required for standards-track RFC's. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RKHWYc099456 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 13:17:32 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0RKHWiW099455; Tue, 27 Jan 2009 13:17:32 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from chokecherry.srv.cs.cmu.edu (CHOKECHERRY.SRV.CS.CMU.EDU [128.2.185.41]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RKHLpL099442 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Tue, 27 Jan 2009 13:17:32 -0700 (MST) (envelope-from jhutz@cmu.edu) Received: from atlantis-home.pc.cs.cmu.edu (173-114-124-216.pools.spcsdns.net [173.114.124.216]) (authenticated bits=0) by chokecherry.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id n0RKHHB7019501 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 15:17:18 -0500 (EST) Date: Tue, 27 Jan 2009 15:17:17 -0500 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> cc: ietf-sasl@imc.org, jhutz@cmu.edu Subject: Re: IANA Hash Function Textual Names vs. SCRAM mechanism names Message-ID: <3E2034024FEF749DC916FD73@atlantis.pc.cs.cmu.edu> In-Reply-To: <hbf.20090127ber3@bombur.uio.no> References: <hbf.20090127a1gj@bombur.uio.no> <2D52288F766C8F0B82DA3F00@atlantis.pc.cs.cmu.edu> <hbf.20090127ber3@bombur.uio.no> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Scanned-By: mimedefang-cmuscs on 128.2.185.41 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> --On Tuesday, January 27, 2009 08:47:29 PM +0100 Hallvard B Furuseth <h.b.furuseth@usit.uio.no> wrote: > Hopefully so. I guess it's GS2 which has me worried. It'd never have > occurred to me to worry that a SASL mechanism name might someday be > named something unreadable like "GS2-DT4PIK22T6APV2PY" either. > A similar idea but base64 instead of base32 and SASL would be in > trouble. Or lowercase(base64()), since I too would expect required > case-sensitive treatment to raise loud protests. Well, GS2 is a SASL mechanism family, and so was designed specifically with the requirements of SASL in mind. Compare to RFC4462, which defines a family of GSS-API-based SSH key exchange algorithms using a similar technique, but based on the requirements of SSH. -- Jeff Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RK15Zs098645 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 13:01:15 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0RK15hR098644; Tue, 27 Jan 2009 13:01:05 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from mail-out1.uio.no (mail-out1.uio.no [129.240.10.57]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RK12M2098638 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Tue, 27 Jan 2009 13:01:04 -0700 (MST) (envelope-from hbf@bombur.uio.no) Received: from mail-mx4.uio.no ([129.240.10.45]) by mail-out1.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LRu7I-0006pz-Rd; Tue, 27 Jan 2009 21:01:00 +0100 Received: from bombur.uio.no ([129.240.6.233]) by mail-mx4.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LRu7I-0005Fu-Jt; Tue, 27 Jan 2009 21:01:00 +0100 Received: from hbf by bombur.uio.no with local (Exim 4.44) id 1LRu7I-00077E-Ik; Tue, 27 Jan 2009 21:01:00 +0100 From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <hbf.20090127bnii@bombur.uio.no> Date: Tue, 27 Jan 2009 21:01:00 +0100 To: Jeffrey Hutzelman <jhutz@cmu.edu>, Alexey Melnikov <alexey.melnikov@isode.com>, ietf-sasl@imc.org Subject: Re: SCRAM notes (was: ABNF for the three cases of SCRAM as GS2) In-Reply-To: <hbf.20090127b3t4@bombur.uio.no> References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> <hbf.20090127zhou@bombur.uio.no> <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> <hbf.20090127b3t4@bombur.uio.no> X-Mailer: VM 7.18 under Emacs 22.2.1 X-UiO-Spam-info: not spam, SpamAssassin (score=-5.0, required=5.0, autolearn=disabled, UIO_MAIL_IS_INTERNAL=-5, uiobl=NO, uiouri=NO) X-UiO-Scanned: 8A3B6C7AA691482BCF3A13B907F3F64CD51285A2 X-UiO-SPAM-Test: remote_host: 129.240.6.233 spam_score: -49 maxlevel 200 minaction 2 bait 0 mail/h: 1 total 1350 max/h 8 blacklist 0 greylist 0 ratelimit 0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Sorry, I lost my answer to this. Hallvard B Furuseth writes: > Jeffrey Hutzelman writes: >> SCRAM is suited to small environments where it's reasonable to maintain >> separate authentication databases for every service, usually because there >> is no central infrastructure. I don't remember this coming up as a limitation for when to use SCRAM before, beyond the problem with using passwords in the first place. Does the draft say this somehow? >> If you're trying to set up enterprise-grade >> distributed infrastructure, you should start with an enterprise-grade >> authentication service. *I'm* not trying to set up anything in particular at the moment. Though I'm thinking of various things we've discussed to do in the future, or of other services I've used myself. I'm not sure what "enterprise-grade" is except a nice buzzword. My reason to choose SASL for something would likely be that it'd be the best available and widely enough supported alternative for whatever I'm doing. >(...) >>> My objection is that this point in the Introduction, standing alone, is >>> simply false: >>> >>> - The server does not gain the ability to impersonate the client to >>> other servers (with an exception for server-authorized proxies). >> >> Hm. Maybe. > > Note that we are now talking about exceptions to the exception (the > security considerations) to the rule (the intro statement). The point being, the discussion around this point is bringing up a whole host of unstated assumptions. Some of which I've just quoted from you above. Maybe the point should be restated completely, after looking a bit closer at just what it is trying to say. -- Hallvard Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RJlWUm098151 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 12:47:32 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0RJlWxB098150; Tue, 27 Jan 2009 12:47:32 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from mail-out1.uio.no (mail-out1.uio.no [129.240.10.57]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RJlT7n098142 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Tue, 27 Jan 2009 12:47:31 -0700 (MST) (envelope-from hbf@bombur.uio.no) Received: from mail-mx3.uio.no ([129.240.10.44]) by mail-out1.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LRtuD-0003B4-Ff; Tue, 27 Jan 2009 20:47:29 +0100 Received: from bombur.uio.no ([129.240.6.233]) by mail-mx3.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LRtuD-0002Za-7u; Tue, 27 Jan 2009 20:47:29 +0100 Received: from hbf by bombur.uio.no with local (Exim 4.44) id 1LRtuD-000768-6t; Tue, 27 Jan 2009 20:47:29 +0100 From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <hbf.20090127ber3@bombur.uio.no> Date: Tue, 27 Jan 2009 20:47:29 +0100 To: Jeffrey Hutzelman <jhutz@cmu.edu> Cc: ietf-sasl@imc.org Subject: Re: IANA Hash Function Textual Names vs. SCRAM mechanism names In-Reply-To: <2D52288F766C8F0B82DA3F00@atlantis.pc.cs.cmu.edu> References: <hbf.20090127a1gj@bombur.uio.no> <2D52288F766C8F0B82DA3F00@atlantis.pc.cs.cmu.edu> X-Mailer: VM 7.18 under Emacs 22.2.1 X-UiO-Spam-info: not spam, SpamAssassin (score=-5.0, required=5.0, autolearn=disabled, UIO_MAIL_IS_INTERNAL=-5, uiobl=NO, uiouri=NO) X-UiO-Scanned: AE1BF1819995E59B1C385FB5924A83F6AB93CEB5 X-UiO-SPAM-Test: remote_host: 129.240.6.233 spam_score: -49 maxlevel 200 minaction 2 bait 0 mail/h: 2 total 1349 max/h 8 blacklist 0 greylist 0 ratelimit 0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Jeffrey Hutzelman writes: > Well, we certainly shouldn't obsolete RFC3279, which doesn't create that > registry or specify its rules, but does specify names and OID's for a > number of hash functions in wide use today. Besides, it's not ours. > > We also shouldn't obsolete RFC4572, which does create the registry and set > its rules, but is mostly about specifying SDP over TLS. Besides, it also > is not ours. Argh, I took the RFC name from the wrong browser window... Anyway, I didn't mean "we" would do it as in SASL taking it over, more like someone doing whatever was required. However, > In practice, I don't think we need to worry about it. > > New names can be > added to that registry only by standards-track RFC's which update or > replace RFC3279, which is a pretty narrow category requiring fairly wide > review. I don't expect anyone will ever try to define a hash function name > which is deliberately long, invalid, or ambiguous. Fine by me. As long as _someone_ who knows SASL keeps track. > Note, BTW, that there is no such thing as a "case-insensitive name"; only > case-insensitive treatment of names. Right, that was sloppy. > Regardless of what case might be used in registering a hash function > name, we can still use it in a SASL mechanism name, unless/until there > are two hash functions whose registered names differ only in case, > which I somehow doubt would pass the review required for > standards-track RFC's. Hopefully so. I guess it's GS2 which has me worried. It'd never have occurred to me to worry that a SASL mechanism name might someday be named something unreadable like "GS2-DT4PIK22T6APV2PY" either. A similar idea but base64 instead of base32 and SASL would be in trouble. Or lowercase(base64()), since I too would expect required case-sensitive treatment to raise loud protests. -- Hallvard Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RJUeCW097490 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 12:30:40 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0RJUeEh097489; Tue, 27 Jan 2009 12:30:40 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from mail-out2.uio.no (mail-out2.uio.no [129.240.10.58]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RJUbj0097482 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Tue, 27 Jan 2009 12:30:39 -0700 (MST) (envelope-from hbf@bombur.uio.no) Received: from mail-mx4.uio.no ([129.240.10.45]) by mail-out2.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LRtds-0001Wn-Ha; Tue, 27 Jan 2009 20:30:36 +0100 Received: from bombur.uio.no ([129.240.6.233]) by mail-mx4.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LRtds-00062U-73; Tue, 27 Jan 2009 20:30:36 +0100 Received: from hbf by bombur.uio.no with local (Exim 4.44) id 1LRtds-00074o-5q; Tue, 27 Jan 2009 20:30:36 +0100 From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <hbf.20090127b3t4@bombur.uio.no> Date: Tue, 27 Jan 2009 20:30:36 +0100 To: Jeffrey Hutzelman <jhutz@cmu.edu> Cc: Alexey Melnikov <alexey.melnikov@isode.com>, ietf-sasl@imc.org Subject: Re: SCRAM notes (was: ABNF for the three cases of SCRAM as GS2) In-Reply-To: <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> <hbf.20090127zhou@bombur.uio.no> <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> X-Mailer: VM 7.18 under Emacs 22.2.1 X-UiO-Spam-info: not spam, SpamAssassin (score=-5.0, required=5.0, autolearn=disabled, UIO_MAIL_IS_INTERNAL=-5, uiobl=NO, uiouri=NO) X-UiO-Scanned: E85A00227D3B35CBD5B634D3490AD6F0F0540536 X-UiO-SPAM-Test: remote_host: 129.240.6.233 spam_score: -49 maxlevel 200 minaction 2 bait 0 mail/h: 1 total 1348 max/h 8 blacklist 0 greylist 0 ratelimit 0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Jeffrey Hutzelman writes: >--On Tuesday, January 27, 2009 07:00:55 PM +0100 Hallvard B Furuseth ><h.b.furuseth@usit.uio.no> wrote: >> "m: Presence of this attribute in a client or a server message MUST >> cause authentication failure when the attribute is parsed by the >> other end." >> >> Just add something amounting to "...except when it correctly matches an >> extension the implementation implements", and maybe some words from your >> description. Then extension documents will no longer need to contradict >> the original description which says it MUST fail. > > No no. The idea is that it MUST fail unless you are implementing a newer > version of the spec which defines different behavior. But isn't that what I just said? Except if we are talking of *a* newer version of the spec, I think calling it "extensions" is a misnomer. Should be something about "reserved" instead. > This is not (yet) an extensibility mechanism; it's a field reserved > for use by a later version of the spec. That sounds unproblematic if you are talking about a newer version of the spec which "obsoletes" this one rather than one of several extensions which "updates" it. But now you need to specify that this is how the field is expected to be updated. Not necessarily in that seciont, could go in an appendix. >> Hold on. I think that's a bug anyway. The draft should say that auth >> MUST be aborted if a message doesn't match the grammar in Section 6. > > No, we've been over this, and the consensus was that extension fields > should be non-critical; that is, unrecognized extensions are ignored. Not _mandatory_ extensions, since an older SASL implementation will abort the authentication when it sees "m=". > This is reflected by the grammar in section 6, which allows arbitrary > unrecognized name=value pairs in several places. Only the optional extensions ("extensions" grammar symbol), which is at a fixed place in each message. >> That will automatically support the 'm=' definition as it is described >> now, since an initial unknown field does not match the grammar.. >> So the draft could support mandatory extensions just by saying extension >> documents should place them at the beginning. And optional ones can >> stay at the end, where they are ignored when unrecognized. > > Hrm. That's an interesting approach, and it might even work. But I'm not > really thrilled with the idea of making the order matter more than it > already does. The grammar currently describes fields in a particular > order, but I would expect implementations to accept them in any order in > practice, and depending on implementations _not_ to do so seems brittle. > I'm much happier with an field whose criticality is indicated by its name > rather than by its position. I'm quite happy with a required order. Easier to parse, and no need to catch and hopefully fail on multiple occurrences of the same field name. Admittedly order-dependent meaning of extension fields does make me nervous, but I can't quite come up with a reason. E.g. a client typo/bug makes the optional 'a' (authzid) field be sent as 'A', so... it doesn't match the grammar authentication fails. Well, good. Kudos to whoever wrote that grammar. >> Anyway, these extensions are new to the -07 draft and I don't remember >> any discussion about them on this list prior to the draft, so I think it >> must all come from some IETF meeting discussions. (Which is one reason >> I've been waiting for a more finalized draft, like I said:-) > > They are the result of resolving one of the open questions in -06, which is > whether unrecognized attribute-value-pairs should be ignored. The answer > turned out to be "yes, except for this special one, which we reserve for > future use in defining a critical extension mechanism". That's not what the grammar does. It only allows optional extensions at the end, except for the wart that "p=" comes after it in the final client message. Maybe it'd be cleaner to put "p=" at the _front_ of that message? Then the client immediately knows where to find it, and it can happily ignore all fields from optional extensions to the end of the message. >> Define "correctly". (...) > > if you have a bunch of mirror servers providing the same service, Mirrors need not provide the same service, in several ways: > there's really no reason _not_ to use the same salt on all of them. > There's no reason for one LDAP server to impersonate a user to another > in the same pool. Sure there is. A central well-protected server mirroring to servers physically present elsewhere, maybe in less protected places (so a break-in is easier), and/or run by different admins with different privileges and trust. Or the servers only mirror a subset of the directory, or allow access to different people/networks, so they do not in fact provide the same service. > SCRAM is suited to small environments where it's reasonable to maintain > separate authentication databases for every service, usually because there > is no central infrastructure. If you're trying to set up enterprise-grade > distributed infrastructure, you should start with an enterprise-grade > authentication service. > >> I agree that by itself, the point belongs in Security Considerations. >> My objection is that this point in the Introduction, standing alone, is >> simply false: >> >> - The server does not gain the ability to impersonate the client to >> other servers (with an exception for server-authorized proxies). > > Hm. Maybe. Note that we are now talking about exceptions to the exception (the security considerations) to the rule (the intro statement). Also you are talking from the administrator point of view. The statement looks quite different from a user (or client author) point of view, if he sends/stores his password through the protocol. Also to someone browsing various specs to see what claims they make, in order to _later_ look more carefully at the promising ones. -- Hallvard Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RJB3io096403 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 12:11:03 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0RJB3ZZ096402; Tue, 27 Jan 2009 12:11:03 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from chokecherry.srv.cs.cmu.edu (CHOKECHERRY.SRV.CS.CMU.EDU [128.2.185.41]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RJB2et096391 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Tue, 27 Jan 2009 12:11:03 -0700 (MST) (envelope-from jhutz@cmu.edu) Received: from atlantis-home.pc.cs.cmu.edu (ATLANTIS-HOME.PC.CS.CMU.EDU [128.2.184.185]) (authenticated bits=0) by chokecherry.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id n0RJAwjK015515 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 14:10:59 -0500 (EST) Date: Tue, 27 Jan 2009 14:10:58 -0500 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>, ietf-sasl@imc.org cc: jhutz@cmu.edu Subject: Re: IANA Hash Function Textual Names vs. SCRAM mechanism names Message-ID: <2D52288F766C8F0B82DA3F00@atlantis.pc.cs.cmu.edu> In-Reply-To: <hbf.20090127a1gj@bombur.uio.no> References: <hbf.20090127a1gj@bombur.uio.no> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Scanned-By: mimedefang-cmuscs on 128.2.185.41 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> --On Tuesday, January 27, 2009 07:31:25 PM +0100 Hallvard B Furuseth <h.b.furuseth@usit.uio.no> wrote: > > Is there anything to prevent "LongCaseSensitiveName/paramName(value)" > from being registered as a hash function? I don't see anything in RFC > 3279 or <http://www.iana.org/assignments/hash-function-text-names/>. > > Should we obsolete RFC 3279 for one which requires somewhat friendlier > names? Well, we certainly shouldn't obsolete RFC3279, which doesn't create that registry or specify its rules, but does specify names and OID's for a number of hash functions in wide use today. Besides, it's not ours. We also shouldn't obsolete RFC4572, which does create the registry and set its rules, but is mostly about specifying SDP over TLS. Besides, it also is not ours. In practice, I don't think we need to worry about it. New names can be added to that registry only by standards-track RFC's which update or replace RFC3279, which is a pretty narrow category requiring fairly wide review. I don't expect anyone will ever try to define a hash function name which is deliberately long, invalid, or ambiguous. Note, BTW, that there is no such thing as a "case-insensitive name"; only case-insensitive treatment of names. Regardless of what case might be used in registering a hash function name, we can still use it in a SASL mechanism name, unless/until there are two hash functions whose registered names differ only in case, which I somehow doubt would pass the review required for standards-track RFC's. -- Jeff Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RIVnGk093366 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 11:31:49 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0RIVnBM093365; Tue, 27 Jan 2009 11:31:49 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from chokecherry.srv.cs.cmu.edu (CHOKECHERRY.SRV.CS.CMU.EDU [128.2.185.41]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RIVmYn093358 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Tue, 27 Jan 2009 11:31:49 -0700 (MST) (envelope-from jhutz@cmu.edu) Received: from atlantis-home.pc.cs.cmu.edu (ATLANTIS-HOME.PC.CS.CMU.EDU [128.2.184.185]) (authenticated bits=0) by chokecherry.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id n0RIVhKp013777 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 13:31:45 -0500 (EST) Date: Tue, 27 Jan 2009 13:31:43 -0500 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> cc: Alexey Melnikov <alexey.melnikov@isode.com>, ietf-sasl@imc.org, jhutz@cmu.edu Subject: Re: SCRAM notes (was: ABNF for the three cases of SCRAM as GS2) Message-ID: <6A133083FF771C2ADA81A6F1@atlantis.pc.cs.cmu.edu> In-Reply-To: <hbf.20090127zhou@bombur.uio.no> References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> <hbf.20090127zhou@bombur.uio.no> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Scanned-By: mimedefang-cmuscs on 128.2.185.41 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> --On Tuesday, January 27, 2009 07:00:55 PM +0100 Hallvard B Furuseth <h.b.furuseth@usit.uio.no> wrote: > [I should have changed the subject. Better late than nenver...] > > Jeffrey Hutzelman writes: >> --On Tuesday, January 27, 2009 03:37:41 PM +0100 Hallvard B Furuseth >> <h.b.furuseth@usit.uio.no> wrote: >> >>> - The "m" (Mandatory extensions) field still seems poorly defined to me. >>> >>> For one thing the wording is unfortunate - an extension will have to >>> break the spec which says "m" must cause failure. >> >> It's deliberately not very specified. > > Yes, but so far we are talking about how the intended (vague) spec is > _worded_. Which led me to completely misunderstand what was meant, see > the discussion in December. > > "m: Presence of this attribute in a client or a server message MUST > cause authentication failure when the attribute is parsed by the > other end." > > Just add something amounting to "...except when it correctly matches an > extension the implementation implements", and maybe some words from your > description. Then extension documents will no longer need to contradict > the original description which says it MUST fail. No no. The idea is that it MUST fail unless you are implementing a newer version of the spec which defines different behavior. This is not (yet) an extensibility mechanism; it's a field reserved for use by a later version of the spec. > Hold on. I think that's a bug anyway. The draft should say that auth > MUST be aborted if a message doesn't match the grammar in Section 6. No, we've been over this, and the consensus was that extension fields should be non-critical; that is, unrecognized extensions are ignored. This is reflected by the grammar in section 6, which allows arbitrary unrecognized name=value pairs in several places. > That will automatically support the 'm=' definition as it is described > now, since an initial unknown field does not match the grammar.. > So the draft could support mandatory extensions just by saying extension > documents should place them at the beginning. And optional ones can > stay at the end, where they are ignored when unrecognized. Hrm. That's an interesting approach, and it might even work. But I'm not really thrilled with the idea of making the order matter more than it already does. The grammar currently describes fields in a particular order, but I would expect implementations to accept them in any order in practice, and depending on implementations _not_ to do so seems brittle. I'm much happier with an field whose criticality is indicated by its name rather than by its position. > Anyway, these extensions are new to the -07 draft and I don't remember > any discussion about them on this list prior to the draft, so I think it > must all come from some IETF meeting discussions. (Which is one reason > I've been waiting for a more finalized draft, like I said:-) They are the result of resolving one of the open questions in -06, which is whether unrecognized attribute-value-pairs should be ignored. The answer turned out to be "yes, except for this special one, which we reserve for future use in defining a critical extension mechanism". > Define "correctly". Generate some unneeded SCRAM hashes for each > password and store them somewhere safe, in anticipation of the day > when we'll decide to add some extra servers? Or ask all users to > change passwords because we've added another LDAP server or whatever? if you have a bunch of mirror servers providing the same service, there's really no reason _not_ to use the same salt on all of them. There's no reason for one LDAP server to impersonate a user to another in the same pool. Put another way, you may have multiple machines, but they are providing the same _service_. SCRAM is suited to small environments where it's reasonable to maintain separate authentication databases for every service, usually because there is no central infrastructure. If you're trying to set up enterprise-grade distributed infrastructure, you should start with an enterprise-grade authentication service. > I agree that by itself, the point belongs in Security Considerations. > My objection is that this point in the Introduction, standing alone, is > simply false: > > - The server does not gain the ability to impersonate the client to > other servers (with an exception for server-authorized proxies). Hm. Maybe. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RIVcjt093348 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 11:31:38 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0RIVcgO093347; Tue, 27 Jan 2009 11:31:38 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from mail-out1.uio.no (mail-out1.uio.no [129.240.10.57]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RIVQVU093332 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Tue, 27 Jan 2009 11:31:38 -0700 (MST) (envelope-from hbf@bombur.uio.no) Received: from mail-mx3.uio.no ([129.240.10.44]) by mail-out1.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LRsic-00071V-4O for ietf-sasl@imc.org; Tue, 27 Jan 2009 19:31:26 +0100 Received: from bombur.uio.no ([129.240.6.233]) by mail-mx3.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LRsib-0008RZ-T6; Tue, 27 Jan 2009 19:31:26 +0100 Received: from hbf by bombur.uio.no with local (Exim 4.44) id 1LRsib-0006y0-Rb; Tue, 27 Jan 2009 19:31:25 +0100 Message-Id: <hbf.20090127a1gj@bombur.uio.no> From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> To: ietf-sasl@imc.org Subject: IANA Hash Function Textual Names vs. SCRAM mechanism names Date: Tue, 27 Jan 2009 19:31:25 +0100 X-UiO-Spam-info: not spam, SpamAssassin (score=-5.0, required=5.0, autolearn=disabled, UIO_MAIL_IS_INTERNAL=-5, uiobl=NO, uiouri=NO) X-UiO-Scanned: BD650737588B0A9C65DC9224CB4043C9AFABCC47 X-UiO-SPAM-Test: remote_host: 129.240.6.233 spam_score: -49 maxlevel 200 minaction 1 bait 0 mail/h: 2 total 1347 max/h 8 blacklist 0 greylist 0 ratelimit 0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Now that I'm looking at SCRAM again (draft-newman-auth-scram-07.txt): > 4. SCRAM mechanism names > > A SCRAM mechanism name is a string "SCRAM-HMAC-" followed by the > uppercased name of the underlying hashed function taken from the > IANA "Hash Function Textual Names" registry. Thus SCRAM can only use hash functions with case-insensitive names of max 9 of the characters [-_0-9A-Z]. See RFC 4422 section 3.1. Is there anything to prevent "LongCaseSensitiveName/paramName(value)" from being registered as a hash function? I don't see anything in RFC 3279 or <http://www.iana.org/assignments/hash-function-text-names/>. Should we obsolete RFC 3279 for one which requires somewhat friendlier names? Or do we defer any worry until it happens, and register aliases for new SCRAM-unfriendly names if they arrive? We'd need to keep that option open anyway: I expect a 9-character limit on IANA hash function names could be too restrictive, in particular if someone invents and registers hash function family names. -- Hallvard Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RI1Bhr091151 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 11:01:11 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0RI1B47091150; Tue, 27 Jan 2009 11:01:11 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from mail-out2.uio.no (mail-out2.uio.no [129.240.10.58]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RI0whn091115 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Tue, 27 Jan 2009 11:01:10 -0700 (MST) (envelope-from hbf@bombur.uio.no) Received: from mail-mx3.uio.no ([129.240.10.44]) by mail-out2.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LRsF5-0001Dp-S3; Tue, 27 Jan 2009 19:00:55 +0100 Received: from bombur.uio.no ([129.240.6.233]) by mail-mx3.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LRsF5-0000be-IL; Tue, 27 Jan 2009 19:00:55 +0100 Received: from hbf by bombur.uio.no with local (Exim 4.44) id 1LRsF5-0006tJ-GG; Tue, 27 Jan 2009 19:00:55 +0100 From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <hbf.20090127zhou@bombur.uio.no> Date: Tue, 27 Jan 2009 19:00:55 +0100 To: Jeffrey Hutzelman <jhutz@cmu.edu> Cc: Alexey Melnikov <alexey.melnikov@isode.com>, ietf-sasl@imc.org Subject: Re: SCRAM notes (was: ABNF for the three cases of SCRAM as GS2) In-Reply-To: <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> X-Mailer: VM 7.18 under Emacs 22.2.1 X-UiO-Spam-info: not spam, SpamAssassin (score=-5.0, required=5.0, autolearn=disabled, UIO_MAIL_IS_INTERNAL=-5, uiobl=NO, uiouri=NO) X-UiO-Scanned: 0B80291BDF18267F656765DAB524450AB0F4A0EF X-UiO-SPAM-Test: remote_host: 129.240.6.233 spam_score: -49 maxlevel 200 minaction 1 bait 0 mail/h: 1 total 1346 max/h 8 blacklist 0 greylist 0 ratelimit 0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> [I should have changed the subject. Better late than nenver...] Jeffrey Hutzelman writes: >--On Tuesday, January 27, 2009 03:37:41 PM +0100 Hallvard B Furuseth ><h.b.furuseth@usit.uio.no> wrote: > >> - The "m" (Mandatory extensions) field still seems poorly defined to me. >> >> For one thing the wording is unfortunate - an extension will have to >> break the spec which says "m" must cause failure. > > It's deliberately not very specified. Yes, but so far we are talking about how the intended (vague) spec is _worded_. Which led me to completely misunderstand what was meant, see the discussion in December. "m: Presence of this attribute in a client or a server message MUST cause authentication failure when the attribute is parsed by the other end." Just add something amounting to "...except when it correctly matches an extension the implementation implements", and maybe some words from your description. Then extension documents will no longer need to contradict the original description which says it MUST fail. As for it's (intended) definition: >> Why not define that syntax in SCRAM? > > I'd be happy to see that happen, but some participants felt that that was > more complexity than was needed. We could have just left it out entirely, > but then it would be impossible to ever add a critical field, because > implementations of the earlier spec wouldn't be required to fail. Hold on. I think that's a bug anyway. The draft should say that auth MUST be aborted if a message doesn't match the grammar in Section 6. That will automatically support the 'm=' definition as it is described now, since an initial unknown field does not match the grammar.. So the draft could support mandatory extensions just by saying extension documents should place them at the beginning. And optional ones can stay at the end, where they are ignored when unrecognized. Anyway, these extensions are new to the -07 draft and I don't remember any discussion about them on this list prior to the draft, so I think it must all come from some IETF meeting discussions. (Which is one reason I've been waiting for a more finalized draft, like I said:-) >>> 1.2. Notation >>> U0 := HMAC(str, salt || INT(1)) >> >> Make that HMAC(str, (salt || INT(1))) or HMAC((str, salt) || INT(1)). > > Uh, why? It's pretty clear than an HMAC requires two arguments (key and > message); in fact, that's about three paragraphs above the text you quote. Nothing important. Just a bit easier to read. Or rather, to glance at without needing to read as far as three paragraphs away. > I'm not sure what you think "(str,salt) || INT(1)" would even mean. The meaning would be "I'm sure I'll find out when I've read a bit more". Which is a fairly common thought for me when browsing specifications:-) >>> 2. Introduction >>> - The server does not gain the ability to impersonate the client to >>> other servers (with an exception for server-authorized proxies). >> >> Another exception: An authentication exchange provides enough info to >> authenticate as the same user on another server > > ... only if the two servers used the same salt, which we specifically > warn against. Yes, I said that. But actually I don't see a warning against it. "For this reason, it is important to use randomly-generated salt values." doesn't say "different ... for different servers". Also that paragraph only mentions attackers, not untrusted servers. > Implemented _correctly_ the protocol does not have this > weakness. I think the current approach of warning against doing this > wrong in security considerations is sufficient. It's a security concern to be aware of. What to do about it is up to the admin. Define "correctly". Generate some unneeded SCRAM hashes for each password and store them somewhere safe, in anticipation of the day when we'll decide to add some extra servers? Or ask all users to change passwords because we've added another LDAP server or whatever? Also such correct behavior would need to override mirroring functionality between servers. I agree that by itself, the point belongs in Security Considerations. My objection is that this point in the Introduction, standing alone, is simply false: - The server does not gain the ability to impersonate the client to other servers (with an exception for server-authorized proxies). This explicitly appears to refer to an untrusted server. One shouldn't need to go to the The Security Considerations to see that "well, that's sort of true, as long as the server does <this>". The intro section gives the wrong message to a user, and the wrong message to an admin since having different salts on different server may amount to a major job. -- Hallvard Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RHGvAA088966 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 10:16:57 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0RHGvPo088965; Tue, 27 Jan 2009 10:16:57 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RHGjJe088944 for <ietf-sasl@imc.org>; Tue, 27 Jan 2009 10:16:56 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [172.16.2.178] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SX9BewB0lLq4@rufus.isode.com>; Tue, 27 Jan 2009 17:16:44 +0000 Message-ID: <497F4158.8050501@isode.com> Date: Tue, 27 Jan 2009 17:16:08 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Jeffrey Hutzelman <jhutz@cmu.edu>, Hallvard B Furuseth <h.b.furuseth@usit.uio.no> CC: ietf-sasl@imc.org Subject: Re: ABNF for the three cases of SCRAM as GS2 References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> In-Reply-To: <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Jeffrey Hutzelman wrote: > --On Tuesday, January 27, 2009 03:37:41 PM +0100 Hallvard B Furuseth > <h.b.furuseth@usit.uio.no> wrote: > >> - The "m" (Mandatory extensions) field still seems poorly defined to me. >> >> For one thing the wording is unfortunate - an extension will have to >> break the spec which says "m" must cause failure. > > It's deliberately not very specified. The idea is that the first time > we need this functionality, it will be necessary for a standards-track > document to amend the specification to describe the syntax of this > field and the circumstances under which its presence does not cause > failure. I think this explains "m=" handling very well. >> Why not define that syntax in SCRAM? > > I'd be happy to see that happen, but some participants felt that that > was more complexity than was needed. We could have just left it out > entirely, but then it would be impossible to ever add a critical > field, because implementations of the earlier spec wouldn't be > required to fail. So, we were able to convince those people to > compromise by making the minimum possible provision for future > critical fields, which is to define a specific field whose contents > are currently unspecified and whose presence currently triggers failure. +1. >>> 1.2. Notation >>> U0 := HMAC(str, salt || INT(1)) >> >> Make that HMAC(str, (salt || INT(1))) or HMAC((str, salt) || INT(1)). > > Uh, why? It's pretty clear than an HMAC requires two arguments (key > and message); in fact, that's about three paragraphs above the text > you quote. I'm not sure what you think "(str,salt) || INT(1)" would > even mean. Agreed. >>> 2. Introduction >>> - The server does not gain the ability to impersonate the client to >>> other servers (with an exception for server-authorized proxies). >> >> Another exception: An authentication exchange provides enough info to >> authenticate as the same user on another server > > ... only if the two servers used the same salt, which we specifically > warn against. Implemented _correctly_ the protocol does not have this > weakness. I think the current approach of warning against doing this > wrong in security considerations is sufficient. I agree, but I will check to make sure that the document is consistent with this advice. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RGnwA8087747 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 09:49:58 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0RGnw9v087746; Tue, 27 Jan 2009 09:49:58 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from chokecherry.srv.cs.cmu.edu (CHOKECHERRY.SRV.CS.CMU.EDU [128.2.185.41]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0RGnkYt087739 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Tue, 27 Jan 2009 09:49:57 -0700 (MST) (envelope-from jhutz@cmu.edu) Received: from atlantis-home.pc.cs.cmu.edu (ATLANTIS-HOME.PC.CS.CMU.EDU [128.2.184.185]) (authenticated bits=0) by chokecherry.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id n0RGngtP009405 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 11:49:43 -0500 (EST) Date: Tue, 27 Jan 2009 11:49:42 -0500 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>, Alexey Melnikov <alexey.melnikov@isode.com> cc: ietf-sasl@imc.org, jhutz@cmu.edu Subject: Re: ABNF for the three cases of SCRAM as GS2 Message-ID: <E007198499799EE856E23154@atlantis.pc.cs.cmu.edu> In-Reply-To: <hbf.20090127vtyg@bombur.uio.no> References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> <hbf.20090127vtyg@bombur.uio.no> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Scanned-By: mimedefang-cmuscs on 128.2.185.41 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> --On Tuesday, January 27, 2009 03:37:41 PM +0100 Hallvard B Furuseth <h.b.furuseth@usit.uio.no> wrote: > - The "m" (Mandatory extensions) field still seems poorly defined to me. > > For one thing the wording is unfortunate - an extension will have to > break the spec which says "m" must cause failure. It's deliberately not very specified. The idea is that the first time we need this functionality, it will be necessary for a standards-track document to amend the specification to describe the syntax of this field and the circumstances under which its presence does not cause failure. > Why not define that syntax in SCRAM? I'd be happy to see that happen, but some participants felt that that was more complexity than was needed. We could have just left it out entirely, but then it would be impossible to ever add a critical field, because implementations of the earlier spec wouldn't be required to fail. So, we were able to convince those people to compromise by making the minimum possible provision for future critical fields, which is to define a specific field whose contents are currently unspecified and whose presence currently triggers failure. >> 1.2. Notation >> U0 := HMAC(str, salt || INT(1)) > > Make that HMAC(str, (salt || INT(1))) or HMAC((str, salt) || INT(1)). Uh, why? It's pretty clear than an HMAC requires two arguments (key and message); in fact, that's about three paragraphs above the text you quote. I'm not sure what you think "(str,salt) || INT(1)" would even mean. >> 2. Introduction >> - The server does not gain the ability to impersonate the client to >> other servers (with an exception for server-authorized proxies). > > Another exception: An authentication exchange provides enough info to > authenticate as the same user on another server ... only if the two servers used the same salt, which we specifically warn against. Implemented _correctly_ the protocol does not have this weakness. I think the current approach of warning against doing this wrong in security considerations is sufficient. -- Jeff Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0REbupM079130 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jan 2009 07:37:56 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0REbugH079129; Tue, 27 Jan 2009 07:37:56 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from mail-out1.uio.no (mail-out1.uio.no [129.240.10.57]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0REbh86079109 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Tue, 27 Jan 2009 07:37:55 -0700 (MST) (envelope-from hbf@bombur.uio.no) Received: from mail-mx3.uio.no ([129.240.10.44]) by mail-out1.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LRp4Q-0000j2-7P; Tue, 27 Jan 2009 15:37:42 +0100 Received: from bombur.uio.no ([129.240.6.233]) by mail-mx3.uio.no with esmtp (Exim 4.69) (envelope-from <hbf@bombur.uio.no>) id 1LRp4Q-00037B-04; Tue, 27 Jan 2009 15:37:42 +0100 Received: from hbf by bombur.uio.no with local (Exim 4.44) id 1LRp4P-0006UN-Kh; Tue, 27 Jan 2009 15:37:41 +0100 From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <hbf.20090127vtyg@bombur.uio.no> Date: Tue, 27 Jan 2009 15:37:41 +0100 To: Alexey Melnikov <alexey.melnikov@isode.com> Cc: ietf-sasl@imc.org Subject: Re: ABNF for the three cases of SCRAM as GS2 In-Reply-To: <497E2B73.3030804@isode.com> References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> <497E2B73.3030804@isode.com> X-Mailer: VM 7.18 under Emacs 22.2.1 X-UiO-Spam-info: not spam, SpamAssassin (score=-5.0, required=5.0, autolearn=disabled, UIO_MAIL_IS_INTERNAL=-5, uiobl=NO, uiouri=NO) X-UiO-Scanned: 409BCAF2F6AA5983BDB9A70AFE42693B0C171138 X-UiO-SPAM-Test: remote_host: 129.240.6.233 spam_score: -49 maxlevel 200 minaction 2 bait 0 mail/h: 1 total 1344 max/h 8 blacklist 0 greylist 0 ratelimit 0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Alexey Melnikov writes: > To clarify: I will produce both the updated (hopefully final) version > of SCRAM without GS2-related changes, plus another version which > contains GS2 related ABNF and examples. Likely not final. Then your first versions of the "To be written" appendixes woudl have to pass through with almost no discussion. I've been waiting for a more finalized draft (by now, in particular Appendix B) before doing a careful review, and reposting some concerns of mine in case the authors just hadn't gotten to them yet. Appendix B to possibly short-circuit discussion of some other details. But I can look through the archives and my notes and (re-)post, if you want. Some old and new points I remember off-hand: - Regarding GS2, let me just make a general protest againt the verbose way the derivation of GS2 names are spelled out in... I don't remember which mechanism draft(s) at the moment. Just say it has "GSS-API mechanism OID: <whatever> SASL mechanism name: GS2-<whatever> due to [GS2] section 3)" - The "m" (Mandatory extensions) field still seems poorly defined to me. For one thing the wording is unfortunate - an extension will have to break the spec which says "m" must cause failure. Next, it'll need further syntax to disambiguate between extensions. Why not define that syntax in SCRAM? E.g. lowercase letters for mandatory-to-implement fields and uppercase for optional fields ("extensions" in the syntax). Or two-letter extension fields: "m" starting a mandatory extension and "o" starting an optional one. > 1.1. Terminology > Some clarifications and additional definitions follow: What's a server-authorized proxy? > 1.2. Notation > U0 := HMAC(str, salt || INT(1)) Make that HMAC(str, (salt || INT(1))) or HMAC((str, salt) || INT(1)). > 2. Introduction > - The server does not gain the ability to impersonate the client to > other servers (with an exception for server-authorized proxies). Another exception: An authentication exchange provides enough info to authenticate as the same user on another server which stores the same authentication info for that user. Mentioned as a security consideration, but I think it belongs with this statement: it's trivially inherent in the algorithm, and servers with the same data (mirrors/slaves) is a common scenario. > 5. SCRAM Authentication Exchange > Servers SHOULD announce a hash iteration-count of at least 128. Why? Different hash algorithms have different strengths and different costs to compute, thus I'd think this depends on the hash algorithm. And, for that matter, on the strength of expected attacks. Also, how does an iteration count of more than 1 help on a site where passwords are stored in several forms anyway, maybe including salted MD5 for Unix crypt()? (Maybe that's for Appendix B or C, I don't know.) If I remember correctly (and I may not), one problem with the proposed competing SRP mechanism was the computation cost. How does that compare with a high SCRAM iteration count? -- Hallvard Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0QLV5H6036824 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 26 Jan 2009 14:31:05 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0QLV53d036823; Mon, 26 Jan 2009 14:31:05 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0QLV4QU036817 for <ietf-sasl@imc.org>; Mon, 26 Jan 2009 14:31:04 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [92.40.187.17] (92.40.187.17.sub.mbb.three.co.uk [92.40.187.17]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SX4rlgB0lDRA@rufus.isode.com>; Mon, 26 Jan 2009 21:31:02 +0000 Message-ID: <497E2B73.3030804@isode.com> Date: Mon, 26 Jan 2009 21:30:27 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: ietf-sasl@imc.org Subject: Re: ABNF for the three cases of SCRAM as GS2 References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> <497DEE6C.3040204@isode.com> In-Reply-To: <497DEE6C.3040204@isode.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Alexey Melnikov wrote: > I think I have enough information to produce a version of SCRAM that > would look like Sam's proposal 2 or 3. To clarify: I will produce both the updated (hopefully final) version of SCRAM without GS2-related changes, plus another version which contains GS2 related ABNF and examples. Then people can compare the two and make a choice. Once the choice is done, I will post the version that should be ready for WGLC. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0QHAqMR023924 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 26 Jan 2009 10:10:52 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0QHAqLt023923; Mon, 26 Jan 2009 10:10:52 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0QHAeur023883 for <ietf-sasl@imc.org>; Mon, 26 Jan 2009 10:10:51 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [192.168.0.6] ((unknown) [62.3.217.253]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SX3ujwB0lANb@rufus.isode.com>; Mon, 26 Jan 2009 17:10:39 +0000 X-SMTP-Protocol-Errors: NORDNS Message-ID: <497DEE6C.3040204@isode.com> Date: Mon, 26 Jan 2009 17:10:04 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: ietf-sasl@imc.org Subject: Re: ABNF for the three cases of SCRAM as GS2 References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> <tslwscijdsh.fsf@live.mit.edu> In-Reply-To: <tslwscijdsh.fsf@live.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Sam Hartman wrote: >mic-of-something basically results to hmac(something) for some hmac >key that the SCRAm GS2 mechanism needs to define. I'd be much happier >if it was derived from the scram key, not identical to it. So, >hmac(hmac(scram_key,micderivation_constant),stuff) > > Sam clarified to me that "stuff" is gs2-to-be-protected, defined by Sam as: gs2-to-be-protected = qop ["," maxbuf] ["," cbqop "," channelbinding] ["," authzid] ["," 1*extension] I think I have enough information to produce a version of SCRAM that would look like Sam's proposal 2 or 3. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0QFJYol018401 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 26 Jan 2009 08:19:34 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0QFJYcw018400; Mon, 26 Jan 2009 08:19:34 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0QFJKOp018391 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Mon, 26 Jan 2009 08:19:33 -0700 (MST) (envelope-from hartmans@mit.edu) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id D7037451D; Mon, 26 Jan 2009 10:19:10 -0500 (EST) From: Sam Hartman <hartmans-ietf@mit.edu> To: Alexey Melnikov <alexey.melnikov@isode.com> Cc: Chris Newman <Chris.Newman@sun.com>, ietf-sasl@imc.org Subject: Re: ABNF for the three cases of SCRAM as GS2 References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> <497B97A2.4090009@isode.com> Date: Mon, 26 Jan 2009 10:19:10 -0500 In-Reply-To: <497B97A2.4090009@isode.com> (Alexey Melnikov's message of "Sat, 24 Jan 2009 22:35:14 +0000") Message-ID: <tslwscijdsh.fsf@live.mit.edu> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> mic-of-something basically results to hmac(something) for some hmac key that the SCRAm GS2 mechanism needs to define. I'd be much happier if it was derived from the scram key, not identical to it. So, hmac(hmac(scram_key,micderivation_constant),stuff) Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0OMZp8D023604 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 24 Jan 2009 15:35:51 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0OMZpZg023603; Sat, 24 Jan 2009 15:35:51 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0OMZd50023594 for <ietf-sasl@imc.org>; Sat, 24 Jan 2009 15:35:50 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [92.40.44.167] (92.40.44.167.sub.mbb.three.co.uk [92.40.44.167]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SXuXtgB0lChr@rufus.isode.com>; Sat, 24 Jan 2009 22:35:36 +0000 Message-ID: <497B97A2.4090009@isode.com> Date: Sat, 24 Jan 2009 22:35:14 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Chris Newman <Chris.Newman@Sun.COM> CC: Sam Hartman <hartmans-ietf@mit.edu>, ietf-sasl@imc.org Subject: Re: ABNF for the three cases of SCRAM as GS2 References: <tslzlnjp83q.fsf@mit.edu> <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> In-Reply-To: <AC527E6743C0778FBAE824B4@446E7922C82D299DB29D899F> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Chris Newman wrote: > I was unaware this was stalled waiting for my response until I was > told yesterday; apologies for not responding sooner. I just reviewed what two of you were talking about, so I think I am on the same page now. My reply is a bit long, as I try to explain how I came to various conclusions. I hope other readers of this message will find my explanation useful. > I'm finding it very difficult to get my head around this at the moment > due to the nested ABNF. To attempt to better understand it, I'm going > to unfold the nested references with some simplifications. I've done the same thing. > First, "gunk" is something I believe to be constant when sent by > SASL-SCRAM implementations and ignored when received by SASL-SCRAM > implementations (albeit included in a hash if necessary) -- that > includes all the security layer stuff since I assume SASL-SCRAM > implementations will always negotiate off security layers. Second, > I'm dropping hash-list (we agreed to move that to the mech name), the > non-relevant syntax and extensibility for now. Third, I'm only > showing a data item the first time it is transferred (it's sometimes > helpful to transfer an item more than once to simplify the code, but > that's an optimization we need not consider at the moment). Right, I saw you dropping repeated nonce in the second client response. > So I think we end up with (please correct me if this is wrong): A think you got it more or less correct. A general comment on what Sam done (which helped me to understand his proposals): I think he basically looked at draft-ietf-sasl-gs2 and made alternative encodings of the data presented there. He then took ABNF draft-newman-auth-scram and tried to modify it, so that GS2 and the modified-SCRAM ABNFs agree. > Case 1: > > C1: b64(gunk,c-nonce,username) ":" %x00 > S1: b64(s-nonce,salt,iter-count) ":" > C2: b64(b64(channel-bind),b64(ClientProof)) > ":" b64(b64(<MIC-of-something?>),authzid,gunk) > S2: b64(b64(ServerSignature)) ":" b64(b64(<MIC-of-something?>),gunk) I dislike this choice in the same way you do, so let's ignore it. However I will give answers/comments on your questions below, as they apply to all 3 cases. > I'm don't understand how a SASL-SCRAM implementation is supposed to > generate the <MIC-of-something> that GSS wrap does. I am not sure either. > Does SASL-SCRAM just set this to 0? I know how the ClientProof is > computed (which implicitly includes a MIC), I don't understand the MIC > although it doesn't matter if I can set it to 0 and ignore it. I don't think so, but I hope that calculating a MIC in order to protect from replays is fairly easy. > I don't understand why two sets of channel bindings appear to be present, One channel binding is as used in SASL. The other is GSS-CHANNEL-BINDINGS from draft-ietf-kitten-gssapi-channel-bindings-05.txt, i.e. a parameter passed to GSS_Init_sec_context() and GSS_Accept_sec_context() calls. > but I'm assuming that SASL-SCRAM treats the GSS-channel-binding as > gunk (send constant / ignore on receipt) for simplicity. If > SASL-SCRAM implementation has to do something else I need to > understand what it's expected to do to understand the proposal. If you look at draft-ietf-sasl-gs2-10.txt, section 5, you will find that the GSS-API channel binding parameter must be NULL for GS2. So it would always be encoded as an empty string, or would be missing entirely (I am not sure exactly how this would look in GSS framing). > I'm confused about the placement of authzid, since it needs to be > included in the SCRAM computations. The current SCRAM spec includes > it in the first client message (optionally). It's harmless moving it > to the second client message but I don't really understand why it ends > up in the second b64 blob. My current understanding of this is that: If you look at section 4.3 of draft-ietf-sasl-gs2-10.txt, you will find there the following (section 4.3.2): 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | client_qops | client_maxbuf | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | channel_binding_length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |[client_cbqops]| [channel_binding_data] / / / / / [authzid] / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ which Sam represented in the textual form as: gs2-to-be-protected = qop ["," maxbuf] ["," cbqop "," channelbinding] ["," authzid] ["," 1*extension] I.e. the authorization identity is going to be transported by the GS2 layer itself. > I'm not fond of this approach due to the three levels of > base64-encoding that will occur in many SASL profiles (e.g. IMAP) that > use base64 as a wrapper for SASL exchanges. That extra middle layer > makes the interesting content unreadable to any debug/logging > mechanism provided in the protocol or SASL layer -- > debugging/diagnostics have to be put directly in the SCRAM layer after > that middle layer is unwrapped. > > Case 2: > > C1: gunk,c-nonce,username delim > S1: s-nonce,salt,iter-count delim > C2: b64(channel-bind),b64(ClientProof) delim > b64(<MIC-of-something?>),authzid,gunk > S2: b64(ServerSignature) delim b64(<MIC-of-something?>),gunk After substitution I got: C1: oidgunk username "," c-nonce delim S1: s-nonce "," salt "," iteration-count delim C2: s-nonce "," gss-channel-binding "," proof delim "mic=" base64() ["," 1*extension] ",d=" c-qop ["," c-maxbuf ] ["," c-cbqop "," channelbinding] ["," authzid] ["," 1*extension] S2: verifier delim "mic=" base64() ["," 1*extension] ",d=" s-qop ["," s-maxbuf] ["," 1*extension] Here channelbinding is the channel binding as used by SASL. I am not sure why Sam has put gss-channel-binding in the middle of SCRAM C2 step though. However it would expand to nothing, as per my earlier comment. If SCRAM never negotiates a security layer, then c-qop, c-maxbuf, c-cbqop, s-qop and s-maxbuf become constants. > Escaping is used where necessary to avoid delim. Other than not > wanting a NUL delim due to the negative impact it has on debugging Agreed. > (I'd consider ^A), this seems workable assuming MIC-of-something isn't > needed by SASL-SCRAM. > > Case 3: > > C1: "ctx=" gunk,c-nonce,username > S1: "ctx=" s-nonce,salt,iter-count > C2: "mic=" b64(<MIC-of-something?>),gunk,authzid ",ctx=" > b64(channel-bind),b64(ClientProof) > S2: "mic=" b64(<MIC-of-something?>),gunk ",ctx=" b64(ServerSignature) I got: C1: "ctx"= oidgunk username "," c-nonce S1: "ctx"= s-nonce "," salt "," iteration-count C2: "mic=" base64() "," c-qop ["," c-maxbuf ] ["," c-cbqop "," channelbinding] ["," authzid] ["," 1*extension] ",ctx=" s-nonce "," gss-channel-binding "," proof S2: "mic=" base64() "," s-qop ["," s-maxbuf] ["," 1*extension] ",ctx=" verifier ========= Currently SCRAM is defined as follows: C1: [mandatory-exts ","] [authzid ","] username "," c-nonce ["," extensions] S1: [mandatory-exts ","] s-nonce "," salt "," iteration-count ["," extensions] C2: s-nonce "," channel-binding ["," extensions] "," proof S2: verifier ["," extensions] > I'm not sure I understand how this is different from case 2. It seems > there's just a different delimiter (specifically, ",ctx=") and the GSS > stuff is moved to the beginning. Agreed. Cases 2 and 3 seem to mostly differ in ordering. > Regardless, it seems fine to me. [Sam's message deleted] Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0NC2KGS030674 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 23 Jan 2009 05:02:20 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0NC2Kgh030673; Fri, 23 Jan 2009 05:02:20 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0NC27MW030654 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Fri, 23 Jan 2009 05:02:19 -0700 (MST) (envelope-from simon@josefsson.org) Received: from c80-216-29-127.bredband.comhem.se ([80.216.29.127] helo=mocca.josefsson.org) by yxa-v.extundo.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from <simon@josefsson.org>) id 1LQKjd-0001GY-RS; Fri, 23 Jan 2009 13:02:06 +0100 From: Simon Josefsson <simon@josefsson.org> To: Kurt Zeilenga <Kurt.Zeilenga@isode.com> Cc: ietf-sasl@imc.org Subject: Re: gs2 hashed oids References: <tsl1vvgd141.fsf@mit.edu> <DE87EEB3-9DD3-4574-9252-B707713D65E1@Isode.com> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:090123:kurt.zeilenga@isode.com::2xu4HARUOLwBGmN3:0FsH X-Hashcash: 1:22:090123:ietf-sasl@imc.org::V6uuYjZfxvEb24qV:2UxI Date: Fri, 23 Jan 2009 13:02:04 +0100 In-Reply-To: <DE87EEB3-9DD3-4574-9252-B707713D65E1@Isode.com> (Kurt Zeilenga's message of "Thu, 22 Jan 2009 22:46:36 -0800") Message-ID: <878wp2fcxv.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.60 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED,AWL autolearn=ham version=3.2.5 (2008-06-10) host=yxa-v.extundo.com Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Kurt Zeilenga <Kurt.Zeilenga@isode.com> writes: > I have review this thread and the history. > > The WG previously made a design choice to use "hashed" GS2- mechanism > names instead of individually "registered" SASL names. This design > choice was reviewed as part of the previous WG Last Call(s) and > believed to be supported by WG consensus. > > In reviewing the recent discussions, I find that while there is a camp > who prefers "registered" SASL names, most in this came can live with > "hashed" names. However, those in the "hashed" camp cannot live with > "registered" SASL names because with "registered" SASL names GSS-API > mechanisms could not automatically be SASL mechanisms within an > implementation. It seems the latter camp has a stronger technical > argument. > > Hence, I find that there is insufficient consensus to change to > "registered" SASL names. Thanks for making this call. Once the SCRAM wire syntax question is decided, I can resume work on GS2 and will then keep the current hash approach to mech names. /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0N6krph015482 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 22 Jan 2009 23:46:53 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0N6krsG015480; Thu, 22 Jan 2009 23:46:53 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0N6kfh4015470 for <ietf-sasl@imc.org>; Thu, 22 Jan 2009 23:46:53 -0700 (MST) (envelope-from Kurt.Zeilenga@Isode.com) Received: from [192.168.1.102] ((unknown) [75.141.233.128]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <SXlnzwBGbhq4@rufus.isode.com> for <ietf-sasl@imc.org>; Fri, 23 Jan 2009 06:46:39 +0000 X-SMTP-Protocol-Errors: NORDNS Message-Id: <DE87EEB3-9DD3-4574-9252-B707713D65E1@Isode.com> From: Kurt Zeilenga <Kurt.Zeilenga@isode.com> To: ietf-sasl@imc.org In-Reply-To: <tsl1vvgd141.fsf@mit.edu> Subject: Re: gs2 hashed oids Date: Thu, 22 Jan 2009 22:46:36 -0800 References: <tsl1vvgd141.fsf@mit.edu> X-Mailer: Apple Mail (2.930.3) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> I have review this thread and the history. The WG previously made a design choice to use "hashed" GS2- mechanism names instead of individually "registered" SASL names. This design choice was reviewed as part of the previous WG Last Call(s) and believed to be supported by WG consensus. In reviewing the recent discussions, I find that while there is a camp who prefers "registered" SASL names, most in this came can live with "hashed" names. However, those in the "hashed" camp cannot live with "registered" SASL names because with "registered" SASL names GSS-API mechanisms could not automatically be SASL mechanisms within an implementation. It seems the latter camp has a stronger technical argument. Hence, I find that there is insufficient consensus to change to "registered" SASL names. -- Kurt, as SASL co-chair Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0KAqoj3005643 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Jan 2009 03:52:50 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0KAqorH005642; Tue, 20 Jan 2009 03:52:50 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0KAqnMQ005635 for <ietf-sasl@imc.org>; Tue, 20 Jan 2009 03:52:49 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [92.40.181.102] (92.40.181.102.sub.mbb.three.co.uk [92.40.181.102]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SXWs=wBGbjUf@rufus.isode.com>; Tue, 20 Jan 2009 10:52:48 +0000 Message-ID: <4975ACF3.1020506@isode.com> Date: Tue, 20 Jan 2009 10:52:35 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Tom Yu <tlyu@MIT.EDU> CC: ietf-sasl@imc.org Subject: Re: [IETF Meeting Session Request Tool] sasl - New Meeting Session Request for IETF 74 References: <ldvbpu2bxur.fsf@cathode-dark-space.mit.edu> In-Reply-To: <ldvbpu2bxur.fsf@cathode-dark-space.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Tom Yu wrote: >Please let me know if I should revise the conflict list. > > [...] >Conflicts to Avoid: > First Priority: apparea saag sieve krb-wg kitten vcarddav > > Hi Tom, Can you please add "morg" and "xmpp BOF" to the first priority list? > Second Priority: dkim emu eai pkix > Third Priority: httpbis idnabis lemonade smime tls > > Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0KAqWYu005623 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Jan 2009 03:52:33 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0KAqWtj005622; Tue, 20 Jan 2009 03:52:32 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0KAqK35005599 for <ietf-sasl@imc.org>; Tue, 20 Jan 2009 03:52:32 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [92.40.181.102] (92.40.181.102.sub.mbb.three.co.uk [92.40.181.102]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SXWs4QBGbqEV@rufus.isode.com>; Tue, 20 Jan 2009 10:52:18 +0000 Message-ID: <4975ACD5.7000207@isode.com> Date: Tue, 20 Jan 2009 10:52:05 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Tom Yu <tlyu@MIT.EDU> CC: ietf-sasl@imc.org Subject: Re: [IETF Meeting Session Request Tool] sasl - New Meeting Session Request for IETF 74 References: <ldvbpu2bxur.fsf@cathode-dark-space.mit.edu> In-Reply-To: <ldvbpu2bxur.fsf@cathode-dark-space.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Tom Yu wrote: >Please let me know if I should revise the conflict list. > > [...] >Conflicts to Avoid: > First Priority: apparea saag sieve krb-wg kitten vcarddav > > Hi Tom, Can you please add "morg" to the first priority list? > Second Priority: dkim emu eai pkix > Third Priority: httpbis idnabis lemonade smime tls > > Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0K1Hv0f076034 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 19 Jan 2009 18:17:57 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0K1Hv9e076033; Mon, 19 Jan 2009 18:17:57 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from fugue.toroid.org (fugue.toroid.org [85.10.196.113]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0K1HkU0076020 for <ietf-sasl@imc.org>; Mon, 19 Jan 2009 18:17:56 -0700 (MST) (envelope-from ams@toroid.org) Received: from penne.toroid.org (penne-vpn [10.8.0.6]) by fugue.toroid.org (Postfix) with ESMTP id 31D25558413; Tue, 20 Jan 2009 02:17:44 +0100 (CET) Received: by penne.toroid.org (Postfix, from userid 1000) id 1F2C638812A; Tue, 20 Jan 2009 06:47:42 +0530 (IST) Date: Tue, 20 Jan 2009 06:47:42 +0530 From: Abhijit Menon-Sen <ams@oryx.com> To: Alexey Melnikov <alexey.melnikov@isode.com> Cc: Chris Newman <Chris.Newman@sun.com>, ietf-sasl@imc.org Subject: Re: Allowed characters in SCRAM authentication/authorization identities Message-ID: <20090120011742.GA3934@toroid.org> References: <4973A397.1050400@isode.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4973A397.1050400@isode.com> Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> At 2009-01-18 21:48:07 +0000, alexey.melnikov@isode.com wrote: > > So, any objections of changing "value-safe-char" to be any UTF-8 > encoded Unicode character except for NUL (which is universally > disallowed), "=" and ","? Fine with me. -- ams Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0K0tEao074674 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 19 Jan 2009 17:55:14 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0K0tE6f074673; Mon, 19 Jan 2009 17:55:14 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0K0t23G074656 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Mon, 19 Jan 2009 17:55:13 -0700 (MST) (envelope-from tlyu@MIT.EDU) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id n0K0ssWI000310 for <ietf-sasl@imc.org>; Mon, 19 Jan 2009 19:54:55 -0500 (EST) Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id n0K0sqNu009483 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <ietf-sasl@imc.org>; Mon, 19 Jan 2009 19:54:54 -0500 (EST) Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id n0K0sqig004156; Mon, 19 Jan 2009 19:54:52 -0500 (EST) To: ietf-sasl@imc.org Subject: [IETF Meeting Session Request Tool] sasl - New Meeting Session Request for IETF 74 From: Tom Yu <tlyu@MIT.EDU> Date: Mon, 19 Jan 2009 19:54:52 -0500 Message-ID: <ldvbpu2bxur.fsf@cathode-dark-space.mit.edu> Lines: 52 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Scanned-By: MIMEDefang 2.42 X-Spam-Flag: NO X-Spam-Score: 0.00 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> --=-=-= Please let me know if I should revise the conflict list. --=-=-= Content-Type: message/rfc822 Content-Disposition: inline Return-Path: <wwwrun@core3.amsl.com> Received: from po9.mit.edu ([unix socket]) by po9.mit.edu (Cyrus v2.1.5) with LMTP; Mon, 19 Jan 2009 19:50:50 -0500 X-Sieve: CMU Sieve 2.2 Received: from pacific-carrier-annex.mit.edu by po9.mit.edu (8.13.6/4.7) id n0K0onEn029012; Mon, 19 Jan 2009 19:50:50 -0500 (EST) Received: from mit.edu (M24-004-BARRACUDA-3.MIT.EDU [18.7.7.114]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id n0K0oilm022546 for <tlyu@mit.edu>; Mon, 19 Jan 2009 19:50:44 -0500 (EST) Received: from mail.ietf.org (mail.ietf.org [64.170.98.32]) by mit.edu (Spam Firewall) with ESMTP id B46A8122B757 for <tlyu@mit.edu>; Mon, 19 Jan 2009 19:50:22 -0500 (EST) Received: by core3.amsl.com (Postfix, from userid 30) id EF4653A6A86; Mon, 19 Jan 2009 16:50:36 -0800 (PST) From: IETF Meeting Session Request Tool <session_request_developers@ietf.org> To: session-request@ietf.org Cc: tim.polk@nist.gov, pasi.eronen@nokia.com, tlyu@mit.edu, kurt.zeilenga@isode.com Subject: sasl - New Meeting Session Request for IETF 74 Message-Id: <20090120005036.EF4653A6A86@core3.amsl.com> Date: Mon, 19 Jan 2009 16:50:36 -0800 (PST) X-Spam-Score: 0.00 X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 Lines: 23 MIME-Version: 1.0 A new meeting session request has just been submitted by Tom Yu, a working group chair of sasl. --------------------------------------------------------- Working Group Name: sasl Area Name: Security Area Session Requester: Tom Yu Number of Sessions: 1 Length of Session(s): 2 hours Number of Attendees: 30 Conflicts to Avoid: First Priority: apparea saag sieve krb-wg kitten vcarddav Second Priority: dkim emu eai pkix Third Priority: httpbis idnabis lemonade smime tls Special Requests: second video projector and screen, and additional microphones, as we and kitten and krb-wg have done in the past --------------------------------------------------------- --=-=-=-- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0JGs1ho052753 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 19 Jan 2009 09:54:01 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0JGs1AC052752; Mon, 19 Jan 2009 09:54:01 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from jackfruit.srv.cs.cmu.edu (JACKFRUIT.SRV.CS.CMU.EDU [128.2.201.16]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0JGrnfO052731 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Mon, 19 Jan 2009 09:54:00 -0700 (MST) (envelope-from jhutz@cmu.edu) Received: from MINBAR.FAC.CS.CMU.EDU (MINBAR.FAC.CS.CMU.EDU [128.2.216.42]) (authenticated bits=0) by jackfruit.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id n0JGrj7Z002145 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 19 Jan 2009 11:53:46 -0500 (EST) Date: Mon, 19 Jan 2009 11:53:45 -0500 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: Alexey Melnikov <alexey.melnikov@isode.com>, Abhijit Menon-Sen <ams@oryx.com>, Chris Newman <Chris.Newman@sun.com> cc: ietf-sasl@imc.org, jhutz@cmu.edu Subject: Re: Allowed characters in SCRAM authentication/authorization identities Message-ID: <3E8421D40AB7CC6A659AF7A1@minbar.fac.cs.cmu.edu> In-Reply-To: <4973A397.1050400@isode.com> References: <4973A397.1050400@isode.com> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Scanned-By: mimedefang-cmuscs on 128.2.201.16 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> --On Sunday, January 18, 2009 09:48:07 PM +0000 Alexey Melnikov <alexey.melnikov@isode.com> wrote: > > Hi, > This is a minor issue with existing SCRAM ABNF: > >> saslname = 1*(value-safe-char / "=2C" / "=3D") >> ;; Conforms to <value> >> >> value-safe-char = %20-2B / %2D-3C / %3E-7E / >> UTF8-2 / UTF-3 / UTF8-4 >> ;; UTF8-char except CTL, "=", and ",". >> >> authzid = "a=" saslname > > Authorization identity is protocol specific, so I don't think the > document should disallow US-ASCII CTLs in it. > So, any objections of changing "value-safe-char" to be any UTF-8 encoded > Unicode character except for NUL (which is universally disallowed), "=" > and ","? Sounds good to me. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0JBqBtu036007 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 19 Jan 2009 04:52:11 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0JBqBUe036006; Mon, 19 Jan 2009 04:52:11 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0JBq8Fi035998 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Mon, 19 Jan 2009 04:52:10 -0700 (MST) (envelope-from simon@josefsson.org) Received: from c80-216-29-127.bredband.comhem.se ([80.216.29.127] helo=mocca.josefsson.org) by yxa-v.extundo.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from <simon@josefsson.org>) id 1LOsfm-0002Uw-D4; Mon, 19 Jan 2009 12:52:07 +0100 From: Simon Josefsson <simon@josefsson.org> To: Alexey Melnikov <alexey.melnikov@isode.com> Cc: Abhijit Menon-Sen <ams@oryx.com>, Chris Newman <Chris.Newman@sun.com>, ietf-sasl@imc.org Subject: Re: Allowed characters in SCRAM authentication/authorization identities References: <4973A397.1050400@isode.com> <87fxjftu7o.fsf@mocca.josefsson.org> <49746396.6020204@isode.com> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:090119:alexey.melnikov@isode.com::UezcfkCAQveRTF7k:2lkG X-Hashcash: 1:22:090119:ams@oryx.com::Rrw4ix2My+q7Cl8z:8+vz X-Hashcash: 1:22:090119:ietf-sasl@imc.org::CgNzdFJKYeti1RgC:BmbK X-Hashcash: 1:22:090119:chris.newman@sun.com::vgZPKBuyds/yBDiI:Fc9e Date: Mon, 19 Jan 2009 12:52:05 +0100 In-Reply-To: <49746396.6020204@isode.com> (Alexey Melnikov's message of "Mon, 19 Jan 2009 11:27:18 +0000") Message-ID: <877i4rtswq.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.60 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED,AWL autolearn=ham version=3.2.5 (2008-06-10) host=yxa-v.extundo.com Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Alexey Melnikov <alexey.melnikov@isode.com> writes: > Simon Josefsson wrote: > >>Alexey Melnikov <alexey.melnikov@isode.com> writes: >> >> >>>Hi, >>>This is a minor issue with existing SCRAM ABNF: >>> >>> >>>>saslname = 1*(value-safe-char / "=2C" / "=3D") >>>> ;; Conforms to <value> >>>> >>>>value-safe-char = %20-2B / %2D-3C / %3E-7E / >>>> UTF8-2 / UTF-3 / UTF8-4 >>>>;; UTF8-char except CTL, "=", and ",". >>>> >>>>authzid = "a=" saslname >>>> >>>> >>>Authorization identity is protocol specific, so I don't think the >>>document should disallow US-ASCII CTLs in it. >>>So, any objections of changing "value-safe-char" to be any UTF-8 >>>encoded Unicode character except for NUL (which is universally >>>disallowed), "=" and ","? >>> >>> >>I think per RFC 4422 you should only exclude NUL. >> >> > Yes. > But "=" and "," are special characters in SCRAM, so they are encoded > as "=2C" and "=3D". Ok, if all non-NUL characters are escaped, I don't see a problem. +1 from me. /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0JBRbbw034921 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 19 Jan 2009 04:27:47 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0JBRbRs034920; Mon, 19 Jan 2009 04:27:37 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0JBRQrH034906 for <ietf-sasl@imc.org>; Mon, 19 Jan 2009 04:27:37 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [92.40.115.70] (92.40.115.70.sub.mbb.three.co.uk [92.40.115.70]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SXRjmwBGbnKl@rufus.isode.com>; Mon, 19 Jan 2009 11:27:25 +0000 Message-ID: <49746396.6020204@isode.com> Date: Mon, 19 Jan 2009 11:27:18 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Simon Josefsson <simon@josefsson.org> CC: Abhijit Menon-Sen <ams@oryx.com>, Chris Newman <Chris.Newman@sun.com>, ietf-sasl@imc.org Subject: Re: Allowed characters in SCRAM authentication/authorization identities References: <4973A397.1050400@isode.com> <87fxjftu7o.fsf@mocca.josefsson.org> In-Reply-To: <87fxjftu7o.fsf@mocca.josefsson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Simon Josefsson wrote: >Alexey Melnikov <alexey.melnikov@isode.com> writes: > > >>Hi, >>This is a minor issue with existing SCRAM ABNF: >> >> >>>saslname = 1*(value-safe-char / "=2C" / "=3D") >>> ;; Conforms to <value> >>> >>>value-safe-char = %20-2B / %2D-3C / %3E-7E / >>> UTF8-2 / UTF-3 / UTF8-4 >>>;; UTF8-char except CTL, "=", and ",". >>> >>>authzid = "a=" saslname >>> >>> >>Authorization identity is protocol specific, so I don't think the >>document should disallow US-ASCII CTLs in it. >>So, any objections of changing "value-safe-char" to be any UTF-8 >>encoded Unicode character except for NUL (which is universally >>disallowed), "=" and ","? >> >> >I think per RFC 4422 you should only exclude NUL. > > Yes. But "=" and "," are special characters in SCRAM, so they are encoded as "=2C" and "=3D". Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0JBOP8q034824 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 19 Jan 2009 04:24:26 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0JBOPDH034823; Mon, 19 Jan 2009 04:24:25 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0JBOBWU034814 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Mon, 19 Jan 2009 04:24:24 -0700 (MST) (envelope-from simon@josefsson.org) Received: from c80-216-29-127.bredband.comhem.se ([80.216.29.127] helo=mocca.josefsson.org) by yxa-v.extundo.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from <simon@josefsson.org>) id 1LOsEa-0002Ub-1y; Mon, 19 Jan 2009 12:24:01 +0100 From: Simon Josefsson <simon@josefsson.org> To: Alexey Melnikov <alexey.melnikov@isode.com> Cc: Abhijit Menon-Sen <ams@oryx.com>, Chris Newman <Chris.Newman@sun.com>, ietf-sasl@imc.org Subject: Re: Allowed characters in SCRAM authentication/authorization identities References: <4973A397.1050400@isode.com> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:090119:chris.newman@sun.com::6jqeSEJpp+/hPfKy:2kCj X-Hashcash: 1:22:090119:alexey.melnikov@isode.com::hx8Q5zWZnWM7Jh9i:7bWo X-Hashcash: 1:22:090119:ietf-sasl@imc.org::dsQQHRnDdOrea3aw:IQMe X-Hashcash: 1:22:090119:ams@oryx.com::K/RWx30zmyuJb6Le:XlGQ Date: Mon, 19 Jan 2009 12:23:55 +0100 In-Reply-To: <4973A397.1050400@isode.com> (Alexey Melnikov's message of "Sun, 18 Jan 2009 21:48:07 +0000") Message-ID: <87fxjftu7o.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.60 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED,AWL autolearn=ham version=3.2.5 (2008-06-10) host=yxa-v.extundo.com Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Alexey Melnikov <alexey.melnikov@isode.com> writes: > Hi, > This is a minor issue with existing SCRAM ABNF: > >> saslname = 1*(value-safe-char / "=2C" / "=3D") >> ;; Conforms to <value> >> >> value-safe-char = %20-2B / %2D-3C / %3E-7E / >> UTF8-2 / UTF-3 / UTF8-4 >> ;; UTF8-char except CTL, "=", and ",". >> >> authzid = "a=" saslname > > Authorization identity is protocol specific, so I don't think the > document should disallow US-ASCII CTLs in it. > So, any objections of changing "value-safe-char" to be any UTF-8 > encoded Unicode character except for NUL (which is universally > disallowed), "=" and ","? I think per RFC 4422 you should only exclude NUL. 3.4.1. Authorization Identity String The authorization identity string is a sequence of zero or more Unicode [Unicode] characters, excluding the NUL (U+0000) character, representing the identity to act as. ... While the character encoding schema used to transfer the authorization identity string in the authentication exchange is mechanism specific, mechanisms are expected to be capable of carrying the entire Unicode repertoire (with the exception of the NUL character). /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0ILn8FM098148 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 18 Jan 2009 14:49:08 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0ILn8wC098147; Sun, 18 Jan 2009 14:49:08 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0ILmt6f098121 for <ietf-sasl@imc.org>; Sun, 18 Jan 2009 14:49:07 -0700 (MST) (envelope-from alexey.melnikov@isode.com) Received: from [92.40.161.173] (92.40.161.173.sub.mbb.three.co.uk [92.40.161.173]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SXOjwwBGbpyW@rufus.isode.com>; Sun, 18 Jan 2009 21:48:53 +0000 Message-ID: <4973A397.1050400@isode.com> Date: Sun, 18 Jan 2009 21:48:07 +0000 From: Alexey Melnikov <alexey.melnikov@isode.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Abhijit Menon-Sen <ams@oryx.com>, Chris Newman <Chris.Newman@Sun.COM> CC: ietf-sasl@imc.org Subject: Allowed characters in SCRAM authentication/authorization identities MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Hi, This is a minor issue with existing SCRAM ABNF: > saslname = 1*(value-safe-char / "=2C" / "=3D") > ;; Conforms to <value> > > value-safe-char = %20-2B / %2D-3C / %3E-7E / > UTF8-2 / UTF-3 / UTF8-4 > ;; UTF8-char except CTL, "=", and ",". > > authzid = "a=" saslname Authorization identity is protocol specific, so I don't think the document should disallow US-ASCII CTLs in it. So, any objections of changing "value-safe-char" to be any UTF-8 encoded Unicode character except for NUL (which is universally disallowed), "=" and ","? Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n08F1IIf050546 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 8 Jan 2009 08:01:18 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n08F1Ipx050545; Thu, 8 Jan 2009 08:01:18 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from kalyani.oryx.com (kalyani.oryx.com [195.30.37.30]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n08F1HNI050538 for <ietf-sasl@imc.org>; Thu, 8 Jan 2009 08:01:17 -0700 (MST) (envelope-from arnt@oryx.com) Received: from kalyani.oryx.com (localhost.oryx.com [127.0.0.1]) by kalyani.oryx.com (Postfix) with ESMTP id 6C09A4AC6A; Thu, 8 Jan 2009 16:01:16 +0100 (CET) Received: from arnt@oryx.com (HELO lochnagar.oryx.com) by kalyani.oryx.com (Archiveopteryx 3.1.0) with esmtp id 1231426876-75452-1/6/7 (2 recipients); Thu, 8 Jan 2009 16:01:16 +0100 Message-Id: <Sb918mQs3aXkU5ctKhzXww.md5@lochnagar.oryx.com> Date: Thu, 8 Jan 2009 16:01:21 +0100 From: Arnt Gulbrandsen <arnt@oryx.com> To: ietf-sasl@imc.org Subject: Re: gs2 hashed oids Content-Type: text/plain; format=flowed Mime-Version: 1.0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Jeffrey Hutzelman writes: > Yes, but the SASL and GS2 implementation need not worry about this; > all they should need to do is call GSS_Indicate_mechs(), whose result > will include any composite mechanisms which are part of the default > set. Or, it may use GSS_Indicate_mechs_by_mech_attrs() to list > mechanisms (including composite mechanisms) which have the attributes > GS2 requires. I see. But then a different problem appears. It sounds as if the list may be long. IMAP servers are required to return a list of available SASL mechanism on a single line, and that line shouldn't be too long. The relevant RFC cautions against lines longer than 8k, which gives space for about 350 GS2 names after subtracting syntax and some other stuff, so I assume that problems will appear somewhere between 100 and 1000 GS2 mechanism stacks. Other protocols (or common deployed implementations) may have limits, but I don't care to research that now, so I'll just take 100-1000. How likely are 100-1000 OIDs? Unthinktable, possible, unusual or common? Arnt Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n08EhXZW049499 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 8 Jan 2009 07:43:33 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n08EhXMR049498; Thu, 8 Jan 2009 07:43:33 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from jackfruit.srv.cs.cmu.edu (JACKFRUIT.SRV.CS.CMU.EDU [128.2.201.16]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n08EhWrU049492 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Thu, 8 Jan 2009 07:43:33 -0700 (MST) (envelope-from jhutz@cmu.edu) Received: from MINBAR.FAC.CS.CMU.EDU (MINBAR.FAC.CS.CMU.EDU [128.2.216.42]) (authenticated bits=0) by jackfruit.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id n08EhU6H006121 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 8 Jan 2009 09:43:30 -0500 (EST) Date: Thu, 08 Jan 2009 09:43:30 -0500 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: Arnt Gulbrandsen <arnt@oryx.com>, ietf-sasl@imc.org cc: jhutz@cmu.edu Subject: Re: gs2 hashed oids Message-ID: <7B669EBF5111123FA596EADF@minbar.fac.cs.cmu.edu> In-Reply-To: <IOhp6hv/VOc/CVi5/OiGAQ.md5@lochnagar.oryx.com> References: <tsl1vvgd141.fsf@mit.edu> <87k598gijo.fsf@mocca.josefsson.org> <6560555BDF0EBFA2F546ACA5@atlantis.pc.cs.cmu.edu> <IOhp6hv/VOc/CVi5/OiGAQ.md5@lochnagar.oryx.com> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Scanned-By: mimedefang-cmuscs on 128.2.201.16 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> --On Thursday, January 08, 2009 02:39:34 PM +0100 Arnt Gulbrandsen <arnt@oryx.com> wrote: > > Jeffrey Hutzelman writes: >> Stackable pseudo-mechanisms are not the same as multi-level negotiation. >> Multi-level negotiation is a problem because you end up having to >> agree on one level before knowing if there's a mutually-acceptable >> mechanism at the next. But stackable mechanisms don't work that way; >> every possible stack has an OID, composed from the OID's of the >> stacked mechanisms (see section 4.1 of >> draft-ietf-kitten-stackable-pseudo-mechs-02.txt). Then the entire >> _stack_ is negotiated at once, as if it were a single mechanism. >> This leads to an explosion of possible mechanism OID's, where it's >> not entirely possible to predict what they all are, but is entirely >> unreasonable to expect every combination to be named and registered. > > It sounds as though a server asked to use GS2-GQGFDSAGDSAF would have to > recurse through all possible mechanism stack Yes, but the SASL and GS2 implementation need not worry about this; all they should need to do is call GSS_Indicate_mechs(), whose result will include any composite mechanisms which are part of the default set. Or, it may use GSS_Indicate_mechs_by_mech_attrs() to list mechanisms (including composite mechanisms) which have the attributes GS2 requires. -- Jeff Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n08DdhwE044680 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 8 Jan 2009 06:39:43 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n08DdhVZ044679; Thu, 8 Jan 2009 06:39:43 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from kalyani.oryx.com (kalyani.oryx.com [195.30.37.30]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n08DdVmb044670 for <ietf-sasl@imc.org>; Thu, 8 Jan 2009 06:39:42 -0700 (MST) (envelope-from arnt@oryx.com) Received: from kalyani.oryx.com (localhost.oryx.com [127.0.0.1]) by kalyani.oryx.com (Postfix) with ESMTP id 55AEE4AC68; Thu, 8 Jan 2009 14:39:30 +0100 (CET) Received: from arnt@oryx.com (HELO lochnagar.oryx.com) by kalyani.oryx.com (Archiveopteryx 3.1.0) with esmtp id 1231421970-75452-1/6/5 for ietf-sasl@imc.org; Thu, 8 Jan 2009 14:39:30 +0100 Message-Id: <IOhp6hv/VOc/CVi5/OiGAQ.md5@lochnagar.oryx.com> Date: Thu, 8 Jan 2009 14:39:34 +0100 From: Arnt Gulbrandsen <arnt@oryx.com> To: ietf-sasl@imc.org Subject: Re: gs2 hashed oids References: <tsl1vvgd141.fsf@mit.edu> <87k598gijo.fsf@mocca.josefsson.org> <6560555BDF0EBFA2F546ACA5@atlantis.pc.cs.cmu.edu> In-Reply-To: <6560555BDF0EBFA2F546ACA5@atlantis.pc.cs.cmu.edu> Content-Type: text/plain; format=flowed Mime-Version: 1.0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Jeffrey Hutzelman writes: > Stackable pseudo-mechanisms are not the same as multi-level negotiation. > Multi-level negotiation is a problem because you end up having to > agree on one level before knowing if there's a mutually-acceptable > mechanism at the next. But stackable mechanisms don't work that way; > every possible stack has an OID, composed from the OID's of the > stacked mechanisms (see section 4.1 of > draft-ietf-kitten-stackable-pseudo-mechs-02.txt). Then the entire > _stack_ is negotiated at once, as if it were a single mechanism. > This leads to an explosion of possible mechanism OID's, where it's > not entirely possible to predict what they all are, but is entirely > unreasonable to expect every combination to be named and registered. It sounds as though a server asked to use GS2-GQGFDSAGDSAF would have to recurse through all possible mechanism stack, encoding its OID as described in the kitten draft, hashing the resulting OID and comparing it against the desired name. Have I understood it correctly? (If not, then maybe it's nonobvious and should be explained in the GS2 document.) If I have, then is that practical to recurse through the tree to find the mechanism? Arnt Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n07NGhTc005474 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Jan 2009 16:16:43 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n07NGhIw005473; Wed, 7 Jan 2009 16:16:43 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from chokecherry.srv.cs.cmu.edu (CHOKECHERRY.SRV.CS.CMU.EDU [128.2.185.41]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n07NGWHT005467 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-sasl@imc.org>; Wed, 7 Jan 2009 16:16:43 -0700 (MST) (envelope-from jhutz@cmu.edu) Received: from 68-246-165-160.pools.spcsdns.net (68-247-50-215.pools.spcsdns.net [68.247.50.215]) (authenticated bits=0) by chokecherry.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id n07NGPpd002028 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Jan 2009 18:16:28 -0500 (EST) Date: Wed, 07 Jan 2009 18:16:25 -0500 From: Jeffrey Hutzelman <jhutz@cmu.edu> To: Simon Josefsson <simon@josefsson.org>, Sam Hartman <hartmans-ietf@mit.edu> cc: ietf-sasl@imc.org, jhutz@cmu.edu Subject: Re: gs2 hashed oids Message-ID: <6560555BDF0EBFA2F546ACA5@atlantis.pc.cs.cmu.edu> In-Reply-To: <87k598gijo.fsf@mocca.josefsson.org> References: <tsl1vvgd141.fsf@mit.edu> <87k598gijo.fsf@mocca.josefsson.org> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Scanned-By: mimedefang-cmuscs on 128.2.185.41 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> --On Tuesday, January 06, 2009 11:45:47 PM +0100 Simon Josefsson <simon@josefsson.org> wrote: > I have two relatively mild concerns. > > The first concern is that the quality of non-standard GSS-API mechanisms > are sometimes low, so it may open up for security problems in SASL if > such mechanisms become available automatically. This is a classic conceit. Our concern that a particular non-standard mechanism might be insecure and make "our protocol" insecure is really completely irrelevant to the operator who uses that mechanism as his enterprise authentication mechanism. Choice of mechanisms is a policy decision, and our role as protocol designers and implementors is not to set policy(*). > I believe GS2 would > need a security consideration that explains this. I certainly think we need to say that the security of GS2 depends on the security properties of the particular underlying GSS-API mechanism used, and in what ways. I don't think we need to or should say "WARNING: don't use non-standard mechanisms, because they are low quality" or similar FUD. > Another concern is that the hashed OID makes the mechanism names harder > to read for humans. Ordinary users do chose between CRAM-MD5 and > DIGEST-MD5 in mail applications today. I would fear a usability review > of a user interface that asks the users to chose between > GS2-DT4PIK22T6EPV2PY and GS2-QLJHGJLWNPLNQRNK. I would, too, if I had designed that user interface. But given the choice between an implementation which showed a user-friendly mechanism name like "GSS-API with Kerberos" or "GSS-API with public keys" for mechanisms it knows about and a hashed named for others, and one which showed names like "GS2-KERBEROS" or "GS2-SPKM" for mechanisms it knows about and doesn't let me use other mechanisms at all, I'd pick the former every time. > There is a relatively easy solution to both these concerns: require that > a name is registered with IANA for every GSS-API mechanism that is > intended for use in SASL. This is not too onerous IMHO, since the > registration approach is First-Come-First-Serve. It is, because random enterprises don't know or care about the IETF or IANA or want to have to register their private mechanisms with someone before they can use them. It's also unnecessary to impose such a requirement. \>> I think it is also important that we support dynamic stackable >> pseudo-mechanisms, which means we need to have some solution for >> mechanisms that cannot be registered. > > This seems like a separate issue, and potentially a problematic one: how > do we avoid interop problems if mechanism X is negotiated under > pseudo-mechanism Y or pseudo-mechanism Z or directly as X? GS2 contains > text about GSS-API mechanisms that negotiates other mechanisms now, but > it seems the same concern also applies to pseudo-mechanisms. Stackable pseudo-mechanisms are not the same as multi-level negotiation. Multi-level negotiation is a problem because you end up having to agree on one level before knowing if there's a mutually-acceptable mechanism at the next. But stackable mechanisms don't work that way; every possible stack has an OID, composed from the OID's of the stacked mechanisms (see section 4.1 of draft-ietf-kitten-stackable-pseudo-mechs-02.txt). Then the entire _stack_ is negotiated at once, as if it were a single mechanism. This leads to an explosion of possible mechanism OID's, where it's not entirely possible to predict what they all are, but is entirely unreasonable to expect every combination to be named and registered. -- Jeff Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n07Bjjm1068779 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Jan 2009 04:45:45 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n07Bjjvc068778; Wed, 7 Jan 2009 04:45:45 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from kalyani.oryx.com (kalyani.oryx.com [195.30.37.30]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n07BjiKQ068771 for <ietf-sasl@imc.org>; Wed, 7 Jan 2009 04:45:44 -0700 (MST) (envelope-from arnt@oryx.com) Received: from kalyani.oryx.com (localhost.oryx.com [127.0.0.1]) by kalyani.oryx.com (Postfix) with ESMTP id 784154AC44; Wed, 7 Jan 2009 12:45:43 +0100 (CET) Received: from arnt@oryx.com (HELO lochnagar.oryx.com) by kalyani.oryx.com (Archiveopteryx 3.1.0) with esmtp id 1231328743-64703-1/6/3 (2 recipients); Wed, 7 Jan 2009 12:45:43 +0100 Message-Id: <Z1+szp0n99Fb3lJTXxnMTA.md5@lochnagar.oryx.com> Date: Wed, 7 Jan 2009 12:45:46 +0100 From: Arnt Gulbrandsen <arnt@oryx.com> To: ietf-sasl@imc.org Subject: Re: gs2 hashed oids References: <tsl1vvgd141.fsf@mit.edu> <87k598gijo.fsf@mocca.josefsson.org> <twNA6KE/eB0DGjdwujDPiw.md5@lochnagar.oryx.com> <877i578its.fsf@mocca.josefsson.org> In-Reply-To: <877i578its.fsf@mocca.josefsson.org> Content-Type: text/plain; format=flowed Mime-Version: 1.0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Simon Josefsson writes: > Arnt Gulbrandsen <arnt@oryx.com> writes: >> Side note: Would it be permissible at all to use GSS-API >> experimenta/non-standard mechanisms in SASL without an X- prefix? > > The registration model described in RFC 4422 -- first come first > serve, with no technical review -- appears to permit almost any > mechanism in SASL, not just standardized mechanisms. I don't see a > difference between a GSS-API mechanism and a SASL mechanism in this > context. OK Arnt Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n07BJSwi067614 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Jan 2009 04:19:28 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n07BJSGU067613; Wed, 7 Jan 2009 04:19:28 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n07BJFTg067600 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Wed, 7 Jan 2009 04:19:27 -0700 (MST) (envelope-from simon@josefsson.org) Received: from c80-216-27-189.bredband.comhem.se ([80.216.27.189] helo=mocca.josefsson.org) by yxa-v.extundo.com with esmtpsa (TLS-1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.63) (envelope-from <simon@josefsson.org>) id 1LKWRL-0000nD-Lx; Wed, 07 Jan 2009 12:19:11 +0100 From: Simon Josefsson <simon@josefsson.org> To: Arnt Gulbrandsen <arnt@oryx.com> Cc: ietf-sasl@imc.org Subject: Re: gs2 hashed oids References: <tsl1vvgd141.fsf@mit.edu> <87k598gijo.fsf@mocca.josefsson.org> <twNA6KE/eB0DGjdwujDPiw.md5@lochnagar.oryx.com> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:090107:arnt@oryx.com::gA4+LkH1GVltyKp3:JmS4 X-Hashcash: 1:22:090107:ietf-sasl@imc.org::GCJY3rjZVxTmDDZ6:J1By Date: Wed, 07 Jan 2009 12:19:11 +0100 In-Reply-To: <twNA6KE/eB0DGjdwujDPiw.md5@lochnagar.oryx.com> (Arnt Gulbrandsen's message of "Wed, 7 Jan 2009 12:06:36 +0100") Message-ID: <877i578its.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED,AWL autolearn=ham version=3.2.3 (2007-08-08) host=yxa-v.extundo.com Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Arnt Gulbrandsen <arnt@oryx.com> writes: > Simon Josefsson writes: >> There is a relatively easy solution to both these concerns: require >> that a name is registered with IANA for every GSS-API mechanism that >> is intended for use in SASL. This is not too onerous IMHO, since the >> registration approach is First-Come-First-Serve. There are X-* >> mechanism names for those who only wants to experiment. > > Side note: Would it be permissible at all to use GSS-API > experimenta/non-standard mechanisms in SASL without an X- prefix? The registration model described in RFC 4422 -- first come first serve, with no technical review -- appears to permit almost any mechanism in SASL, not just standardized mechanisms. I don't see a difference between a GSS-API mechanism and a SASL mechanism in this context. /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n07B6a6b066783 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Jan 2009 04:06:36 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n07B6asl066782; Wed, 7 Jan 2009 04:06:36 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from kalyani.oryx.com (kalyani.oryx.com [195.30.37.30]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n07B6YoT066776 for <ietf-sasl@imc.org>; Wed, 7 Jan 2009 04:06:34 -0700 (MST) (envelope-from arnt@oryx.com) Received: from kalyani.oryx.com (localhost.oryx.com [127.0.0.1]) by kalyani.oryx.com (Postfix) with ESMTP id 9B2D94AC44; Wed, 7 Jan 2009 12:06:33 +0100 (CET) Received: from arnt@oryx.com (HELO lochnagar.oryx.com) by kalyani.oryx.com (Archiveopteryx 3.1.0) with esmtp id 1231326393-64703-1/6/2 (2 recipients); Wed, 7 Jan 2009 12:06:33 +0100 Message-Id: <twNA6KE/eB0DGjdwujDPiw.md5@lochnagar.oryx.com> Date: Wed, 7 Jan 2009 12:06:36 +0100 From: Arnt Gulbrandsen <arnt@oryx.com> To: ietf-sasl@imc.org Subject: Re: gs2 hashed oids References: <tsl1vvgd141.fsf@mit.edu> <87k598gijo.fsf@mocca.josefsson.org> In-Reply-To: <87k598gijo.fsf@mocca.josefsson.org> Content-Type: text/plain; format=flowed Mime-Version: 1.0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Simon Josefsson writes: > There is a relatively easy solution to both these concerns: require > that a name is registered with IANA for every GSS-API mechanism that > is intended for use in SASL. This is not too onerous IMHO, since the > registration approach is First-Come-First-Serve. There are X-* > mechanism names for those who only wants to experiment. Side note: Would it be permissible at all to use GSS-API experimenta/non-standard mechanisms in SASL without an X- prefix? Arnt Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n07B54Es066685 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Jan 2009 04:05:04 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n07B54UA066684; Wed, 7 Jan 2009 04:05:04 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from kalyani.oryx.com (kalyani.oryx.com [195.30.37.30]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n07B4qMt066666 for <ietf-sasl@imc.org>; Wed, 7 Jan 2009 04:05:03 -0700 (MST) (envelope-from arnt@oryx.com) Received: from kalyani.oryx.com (localhost.oryx.com [127.0.0.1]) by kalyani.oryx.com (Postfix) with ESMTP id 2CF574AC44; Wed, 7 Jan 2009 12:04:51 +0100 (CET) Received: from arnt@oryx.com (HELO lochnagar.oryx.com) by kalyani.oryx.com (Archiveopteryx 3.1.0) with esmtp id 1231326290-64703-1/6/2 for ietf-sasl@imc.org; Wed, 7 Jan 2009 12:04:50 +0100 Message-Id: <CBELhLqUw2XvahjZYHSe1w.md5@lochnagar.oryx.com> Date: Wed, 7 Jan 2009 12:04:53 +0100 From: Arnt Gulbrandsen <arnt@oryx.com> To: ietf-sasl@imc.org Subject: Re: gs2 hashed oids References: <tsl1vvgd141.fsf@mit.edu> <87k598gijo.fsf@mocca.josefsson.org> In-Reply-To: <87k598gijo.fsf@mocca.josefsson.org> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8; format=flowed Mime-Version: 1.0 Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Sam Hartman: >> Like Jeff Hutzelman I believe that it is important to be able to use=20 >> a GSS-API mechanism in an application that has never heard of that=20 >> mechanism. (Why is this important?) >> We have significant evidence from SAP R3 this can be made to work=20 >> and evidence from other applications that it is valuable in those=20 >> contexts. (Do tell?) >> I don't understand why people think this would be a bad idea, and=20 >> would be happy to discuss. 1. Some application developers (quite a few in my experience =E2=80=94 I = was a=20 library person in a past life) really don't want customers to use=20 something they haven't tested, and do not want to have unknown plugins=20 loaded at the customer or unknown mechanisms used there. Do you know=20 the old saying "fly what you test and test what you fly"? 2. Some application developers (mostly the same set as above, but not=20 quite) want the ability to reproduce what the customers are seeing.=20 Using something unknown to the application is problematic. (There are=20 also other problems, of course.) Arnt Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n06Mk5ro032118 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 6 Jan 2009 15:46:05 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n06Mk5kx032117; Tue, 6 Jan 2009 15:46:05 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n06Mjq8a032099 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <ietf-sasl@imc.org>; Tue, 6 Jan 2009 15:46:04 -0700 (MST) (envelope-from simon@josefsson.org) Received: from c80-216-27-189.bredband.comhem.se ([80.216.27.189] helo=mocca.josefsson.org) by yxa-v.extundo.com with esmtpsa (TLS-1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.63) (envelope-from <simon@josefsson.org>) id 1LKKgG-0007mF-D1; Tue, 06 Jan 2009 23:45:49 +0100 From: Simon Josefsson <simon@josefsson.org> To: Sam Hartman <hartmans-ietf@mit.edu> Cc: ietf-sasl@imc.org Subject: Re: gs2 hashed oids References: <tsl1vvgd141.fsf@mit.edu> OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:090106:ietf-sasl@imc.org::xYYypeL36Utgqo3O:7QYT X-Hashcash: 1:22:090106:hartmans-ietf@mit.edu::MfLf47J9MR3sYC/H:9Zt7 Date: Tue, 06 Jan 2009 23:45:47 +0100 In-Reply-To: <tsl1vvgd141.fsf@mit.edu> (Sam Hartman's message of "Tue, 06 Jan 2009 08:18:22 -0500") Message-ID: <87k598gijo.fsf@mocca.josefsson.org> User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED,AWL autolearn=ham version=3.2.3 (2007-08-08) host=yxa-v.extundo.com Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Sam Hartman <hartmans-ietf@mit.edu> writes: > Like Jeff Hutzelman I believe that it is important to be able to use a > GSS-API mechanism in an application that has never heard of that > mechanism. We have significant evidence from SAP R3 this can be made > to work and evidence from other applications that it is valuable in > those contexts. I don't understand why people think this would be a > bad idea, and would be happy to discuss. I have two relatively mild concerns. The first concern is that the quality of non-standard GSS-API mechanisms are sometimes low, so it may open up for security problems in SASL if such mechanisms become available automatically. I believe GS2 would need a security consideration that explains this. Another concern is that the hashed OID makes the mechanism names harder to read for humans. Ordinary users do chose between CRAM-MD5 and DIGEST-MD5 in mail applications today. I would fear a usability review of a user interface that asks the users to chose between GS2-DT4PIK22T6EPV2PY and GS2-QLJHGJLWNPLNQRNK. There is a relatively easy solution to both these concerns: require that a name is registered with IANA for every GSS-API mechanism that is intended for use in SASL. This is not too onerous IMHO, since the registration approach is First-Come-First-Serve. There are X-* mechanism names for those who only wants to experiment. However, this is merely my preference, and I don't feel strongly about it. I can live with hashed OIDs too, and will propose text for the security considerations about this point. > I think it is also important that we support dynamic stackable > pseudo-mechanisms, which means we need to have some solution for > mechanisms that cannot be registered. This seems like a separate issue, and potentially a problematic one: how do we avoid interop problems if mechanism X is negotiated under pseudo-mechanism Y or pseudo-mechanism Z or directly as X? GS2 contains text about GSS-API mechanisms that negotiates other mechanisms now, but it seems the same concern also applies to pseudo-mechanisms. /Simon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n06DIkrh001438 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 6 Jan 2009 06:18:46 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n06DIk3U001437; Tue, 6 Jan 2009 06:18:46 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n06DIZjO001424 for <ietf-sasl@imc.org>; Tue, 6 Jan 2009 06:18:46 -0700 (MST) (envelope-from hartmans@mit.edu) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id B4D12451B; Tue, 6 Jan 2009 08:18:22 -0500 (EST) From: Sam Hartman <hartmans-ietf@mit.edu> To: ietf-sasl@imc.org Subject: gs2 hashed oids Date: Tue, 06 Jan 2009 08:18:22 -0500 Message-ID: <tsl1vvgd141.fsf@mit.edu> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-sasl@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/> List-ID: <ietf-sasl.imc.org> List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe> Hi. Nico, thanks for conveying my concern. I'm really sorry that I was so busy, but my consulting practice and the nomcom have taken up all my time lately. Like Jeff Hutzelman I believe that it is important to be able to use a GSS-API mechanism in an application that has never heard of that mechanism. We have significant evidence from SAP R3 this can be made to work and evidence from other applications that it is valuable in those contexts. I don't understand why people think this would be a bad idea, and would be happy to discuss. If I'm not sufficiently responsive here please IM or send me personal mail. I believe the same arguments apply to SASL and I definitely want to use SASL mechanisms with applications that have not been intended to use the mechanisms I've using. I've done this with many applications that use the Cyrus framework at least on the client and it has been incredibly valuable in several deployments. I think it is critical we avoid situations where a SASL mechanism has multiple names. I think the OS distributor arguments that Jeff brings up are quite valid. My strong preference is to keep hashed oid names. If we cannot get a consensus to do that, we should fall back to something. I think it would be a very bad idea to give scram and Kerberos names but not have a plan for how we can do the same in the future. If there are sufficient pressures that we cannot get consensus behind hashed oid names, then we should get something that will work long-term, not adopt a solution for scram and kerberos only to have the fight again later with deployed code blocking our options. So, my preference is to get consensus that hashed oid names are acceptable. If that fails, we should design a mechanism that will allow us to assign names to mechanisms but that will handle the OS distribution problems. I think it is also important that we support dynamic stackable pseudo-mechanisms, which means we need to have some solution for mechanisms that cannot be registered.
- ABNF for the three cases of GS2 Sam Hartman
- Re: ABNF for the three cases of GS2 Nicolas Williams
- Re: ABNF for the three cases of GS2 Sam Hartman
- Re: ABNF for the three cases of GS2 Simon Josefsson
- Re: ABNF for the three cases of GS2 Nicolas Williams
- Re: ABNF for the three cases of GS2 Chris Newman
- Re: ABNF for the three cases of SCRAM as GS2 Alexey Melnikov
- Re: ABNF for the three cases of SCRAM as GS2 Sam Hartman
- Re: ABNF for the three cases of SCRAM as GS2 Alexey Melnikov
- Re: ABNF for the three cases of SCRAM as GS2 Alexey Melnikov
- Re: ABNF for the three cases of SCRAM as GS2 Hallvard B Furuseth
- Re: ABNF for the three cases of SCRAM as GS2 Jeffrey Hutzelman
- Re: ABNF for the three cases of SCRAM as GS2 Alexey Melnikov
- Re: SCRAM notes (was: ABNF for the three cases of… Hallvard B Furuseth
- Re: SCRAM notes (was: ABNF for the three cases of… Jeffrey Hutzelman
- Re: SCRAM notes (was: ABNF for the three cases of… Hallvard B Furuseth
- Re: SCRAM notes (was: ABNF for the three cases of… Hallvard B Furuseth
- Re: SCRAM notes Alexey Melnikov
- Re: SCRAM notes Jeffrey Hutzelman
- Re: SCRAM notes Alexey Melnikov
- Re: SCRAM notes Hallvard B Furuseth
- Re: SCRAM notes Hallvard B Furuseth
- Re: SCRAM notes Jeffrey Hutzelman
- Re: SCRAM notes Alexey Melnikov
- Re: SCRAM notes Alexey Melnikov
- Re: ABNF for the three cases of SCRAM as GS2 Alexey Melnikov
- Re: SCRAM notes Alexey Melnikov
- Re: SCRAM notes Alexey Melnikov
- Re: SCRAM notes Alexey Melnikov
- Re: SCRAM notes Alexey Melnikov
- Re: ABNF for the three cases of SCRAM as GS2 Hallvard B Furuseth
- Re: ABNF for the three cases of SCRAM as GS2 Alexey Melnikov