IETF Logo Mail Archive

Re: Or: simplifying GS2 (Re: Poll: pure SCRAM versa SCRAM-as-GS2)

Alexey Melnikov <alexey.melnikov@isode.com> Thu, 19 February 2009 11:56 UTC

Return-Path: <owner-ietf-sasl@mail.imc.org>
X-Original-To: ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com
Delivered-To: ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 001483A6A6C for <ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com>; Thu, 19 Feb 2009 03:56:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.807
X-Spam-Level:
X-Spam-Status: No, score=-0.807 tagged_above=-999 required=5 tests=[AWL=0.241, BAYES_00=-2.599, RCVD_IN_SBL=1.551]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hpaIQPtvUZxq for <ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com>; Thu, 19 Feb 2009 03:56:10 -0800 (PST)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id C82F73A6823 for <sasl-archive-Zoh8yoh9@ietf.org>; Thu, 19 Feb 2009 03:56:09 -0800 (PST)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n1JBoBwZ011515 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 19 Feb 2009 04:50:11 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n1JBoB3s011514; Thu, 19 Feb 2009 04:50:11 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n1JBnxdl011495 for <ietf-sasl@imc.org>; Thu, 19 Feb 2009 04:50:10 -0700 (MST) (envelope-from alexey.melnikov@isode.com)
Received: from [92.40.14.232] (92.40.14.232.sub.mbb.three.co.uk [92.40.14.232]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <SZ1HYgB0lI9E@rufus.isode.com>; Thu, 19 Feb 2009 11:49:56 +0000
Message-ID: <499D474E.1060007@isode.com>
Date: Thu, 19 Feb 2009 11:49:34 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Nicolas Williams <Nicolas.Williams@sun.com>
CC: SASL WG <ietf-sasl@imc.org>
Subject: Re: Or: simplifying GS2 (Re: Poll: pure SCRAM versa SCRAM-as-GS2)
References: <20090217224416.GM9992@Sun.COM>
In-Reply-To: <20090217224416.GM9992@Sun.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-sasl@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-ID: <ietf-sasl.imc.org>
List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>

Nicolas Williams wrote:

>Perhaps we can just simplify GS2 enough that all concerns go away.
>
>The primary differences between the GSS-API and SASL:
>
>a) one is message-oriented (GSS), the other is stream-oriented (SASL);
>
>b) SASL client apps must send the name of the mech being used before
>   using it, while the GSS-API includes the "name" of the selected mech
>   in the first authentication message;
>
This might be a minor detail, but if understand correctly, GSS-API is 
using OIDs for naming, while SASL typically doesn't.

>c) SASL authentication message exchanges negotiate what security layers
>   will be used and maximum message sizes; the GSS-API does no such
>   negotiations;
>
>d) the GSS-API has channel binding, but it's all or nothing, and it's
>   optional; SASL has never had channel binding.
>
>e) terminology :)
>
>(a) is easy to address in a SASL/GSS bridge.
>(b) is easy to address in a SASL/GSS bridge.
>
I am not entirely sure what you call "bridge" in this case, but I tend 
to agree with your conclusion ;-).

>(c) is easy to addres by replacing security layers with channel binding
>    to TLS,
>
As a side note: we shouldn't be requiring TLS to be the only channel 
binding, even though we can recommend it.

>which has the added advantage of simplifying mechanisms and
>    making (a) not matter.
>  
>
Agreed.
I think draft-newman-auth-scram-gs2-00.txt already made the same choice.

>(d) matters only if we want channel binding in SASL, and I think we long
>    ago agreed we did, and if we re-open that question I believe we'll
>    again conclude that we want it.
>  
>
Agreed.

>(e) we can ignore :)
>  
>
I think this is mostly an editorial issue, which might require quite a 
bit of work.
But I agree it should be ignored for now.

>So what makes GS2 not simple?  The fact that we chose to make the GS2
>channel binding semantics different from the GSS-API's: we chose to make
>channel binding success/failure affect the negotiation of security
>layers.
>
>If we reconsider that one choice we could simplify GS2 enough that a
>single specification of SCRAM-as-a-GSS-API mechanism will satisfy all.
>
I agree that would make GS2 simpler, but I am not convinced that that 
would be enough to make SCRAM-as-GS2 satisfy Chris Newman's requirement 
on simplicity. But anyway, I am willing to participate and see what the 
result would be.

I think the extra complexity lies is the need to have authorization 
identity separate from the rest of SCRAM data (because it is transported 
by GS2 itself), this requires an extra hash for protecting it. The same 
applies to the channel binding data, but your proposal above addresses 
this to some extend.

v2.23.0 | Report a Bug | By Email