Re: I-D ACTION:draft-ietf-sasl-crammd5-to-historic-00.txt
John C Klensin <john-ietf@jck.com> Tue, 25 November 2008 16:19 UTC
Return-Path: <owner-ietf-sasl@mail.imc.org>
X-Original-To: ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com
Delivered-To: ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CED523A67DD for <ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com>; Tue, 25 Nov 2008 08:19:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.266
X-Spam-Level:
X-Spam-Status: No, score=-3.266 tagged_above=-999 required=5 tests=[AWL=-0.667, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VP80GM0CMoua for <ietfarch-sasl-archive-Zoh8yoh9@core3.amsl.com>; Tue, 25 Nov 2008 08:19:17 -0800 (PST)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id C4DD83A6B7D for <sasl-archive-Zoh8yoh9@ietf.org>; Tue, 25 Nov 2008 08:19:16 -0800 (PST)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id mAPG6n1x065413 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 25 Nov 2008 09:06:49 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id mAPG6nB8065412; Tue, 25 Nov 2008 09:06:49 -0700 (MST) (envelope-from owner-ietf-sasl@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f
Received: from bs.jck.com (ns.jck.com [209.187.148.211]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id mAPG6b6Z065394 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for <ietf-sasl@imc.org>; Tue, 25 Nov 2008 09:06:48 -0700 (MST) (envelope-from john-ietf@jck.com)
Received: from [127.0.0.1] (helo=p3.JCK.COM) by bs.jck.com with esmtp (Exim 4.34) id 1L50Qo-000C1Y-06; Tue, 25 Nov 2008 11:06:30 -0500
Date: Tue, 25 Nov 2008 11:06:28 -0500
From: John C Klensin <john-ietf@jck.com>
To: Kurt.Zeilenga@isode.com
cc: ietf-sasl@imc.org, pasi.eronen@nokia.com
Subject: Re: I-D ACTION:draft-ietf-sasl-crammd5-to-historic-00.txt
Message-ID: <7928C65B3EEAEB90C35C6853@p3.int.jck.com>
In-Reply-To: <20081124223001.B88703A682C@core3.amsl.com>
References: <20081124223001.B88703A682C@core3.amsl.com>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sender: owner-ietf-sasl@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-ID: <ietf-sasl.imc.org>
List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
--On Monday, 24 November, 2008 14:30 -0800 Internet-Drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line > Internet-Drafts directories. > This draft is a work item of the Simple Authentication and > Security Layer Working Group of the IETF. > > Title : CRAM-MD5 to Historic > Author(s) : K. Zeilenga > Filename : draft-ietf-sasl-crammd5-to-historic-00.txt > Pages : 6 > Date : 2008-11-24 > > This document recommends the retirement of the CRAM-MD5 > authentication mechanism, and discusses the reasons for > doing so. This document recommends RFC 2195 and its > predecessor, RFC 2095, be moved to Historic status. Folks, While I have no particular attachment to CRAM-MD5 -- Paul, Randy, and I created it as a service to the community -- I suggest that you consider this active _very_ carefully. In particular (and playing the role of devil's advocate much more than that of author): * CRAM-MD5 was designed at a time when the IETF was campaigning against clear-text passwords on the wire, as a "better than nothing" alternative. While its perceived strength has weakened over the years, it may still have some value in that area. More important, it did not require cryptography, which was perceived as an important issue for places and circumstances where cryptography was prohibited or significantly restricted. * Empirically, CRAM-MD5 is quite widely deployed and interoperable. The claims in this document about the weakness of the definition notwithstanding, the evidence on the ground is that people have been able to make it work (possibly by aggressive application of the robustness principle). Replacing it on a flag-day basis ("move this to Historic when SCRAM is published") with a protocol that has not been similarly tested and deployed seems to me to be unwise. * The document appears to suggest that clear-text passwords over TLS are more desirable than CRAM-MD5. In a world in which (i) all certificates were anchored in well-established and trustworthy CAs and based on more than "responds to email" or "has domain" and (ii) an in-depth analysis had been done on the ability to use partially-known-plaintext attacks (based on the very predictable nature of the SMTP, POP, IMAP, etc., session-initiation dialogues) on TLS and a conclusion of "no problems" reached I would certainly agree with that conclusion about clear-text over TLS if it were substantiated. However, in a world in which typical certs for mail servers seem to be either self-signed (or certified on the basis of email address dialogues or domain name ownership), in which attacks on the DNS are well-known and the proper response to "Bind 8 is dead" may be "before or after Bind 4?", methods based on challenge-response may have one advantage that the I-D does not discuss, namely being independent of the certificate and DNS situation and relationships. * The previous effort to replace CRAM-MD5 with something else involved an effort to deprecate it in favor of Digest-MD5 which was argued to be much more secure, etc., etc. That effort fizzled out when it became clear that Digest-MD5 had its own set of problems and that the marginal security benefits were probably not worth the trouble. I have not studied SCRAM, but, absent an RFC-published specification and several years of experience, I don't have significant reason to believe that, in practice, it will offer much more marginal benefit over CRAM-MD5 than Digest-MD5 turned out to. Trying to replace one mechanism with another involves significant costs, especially to interoperability as some systems select one of the methods and others select other ones, so the advantages had better be significant. Given all of that, I wonder if denouncing CRAM-MD5 as strongly as this document seems to is really appropriate. Would it not be a lot more sensible and realistic to: (i) Publish an updated version of 2195 that reflects at more length on the security issues and warnings about them? I note that, given the requirement for two interoperable implementations, this document could be published at Draft Standard and that there is _no_ bar to doing so under the procedures specified in RFC 2026. (ii) Publish SCRAM and see if it gets any traction in practice. (iii) When, and only if, SCRAM actually does get significant deployment in practice, move CRAM-MD5 to Historic. regards, john
- I-D ACTION:draft-ietf-sasl-crammd5-to-historic-00… Internet-Drafts
- Re: I-D ACTION:draft-ietf-sasl-crammd5-to-histori… John C Klensin
- Re: I-D ACTION:draft-ietf-sasl-crammd5-to-histori… Simon Josefsson
- Re: I-D ACTION:draft-ietf-sasl-crammd5-to-histori… Paul Smith
- Re: I-D ACTION:draft-ietf-sasl-crammd5-to-histori… Simon Josefsson
- Re: I-D ACTION:draft-ietf-sasl-crammd5-to-histori… John C Klensin