Re: [secdir] Secdir review of draft-hansen-scram-sha256-02
Tony Hansen <tony@att.com> Sat, 23 May 2015 00:01 UTC
Return-Path: <tony@att.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F7071A8991; Fri, 22 May 2015 17:01:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HGgcvrFgR1lb; Fri, 22 May 2015 17:01:27 -0700 (PDT)
Received: from nbfkord-smmo05.seg.att.com (nbfkord-smmo05.seg.att.com [209.65.160.92]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE4641A8848; Fri, 22 May 2015 17:01:26 -0700 (PDT)
Received: from unknown [144.160.229.23] (EHLO alpi154.enaf.aldc.att.com) by nbfkord-smmo05.seg.att.com(mxl_mta-7.2.4-5) over TLS secured channel with ESMTP id 653cf555.0.3299794.00-2242.8842642.nbfkord-smmo05.seg.att.com (envelope-from <tony@att.com>); Sat, 23 May 2015 00:01:26 +0000 (UTC)
X-MXL-Hash: 555fc3561f9e5c9c-48120237f0e6dfbf951bb426afebd543c8d7638b
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t4N00NQ2016960; Fri, 22 May 2015 20:00:24 -0400
Received: from alpi132.aldc.att.com (alpi132.aldc.att.com [130.8.217.2]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t4N00GFR016901 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 22 May 2015 20:00:17 -0400
Received: from alpi153.aldc.att.com (alpi153.aldc.att.com [130.8.42.31]) by alpi132.aldc.att.com (RSA Interceptor); Sat, 23 May 2015 00:00:00 GMT
Received: from aldc.att.com (localhost [127.0.0.1]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id t4N00073027970; Fri, 22 May 2015 20:00:00 -0400
Received: from dns.maillennium.att.com (maillennium.att.com [135.25.114.99]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id t4MNxt3n027854; Fri, 22 May 2015 19:59:55 -0400
Received: from tonys-macbook-pro.local (unknown[135.110.240.65](untrusted sender)) by maillennium.att.com (mailgw1) with ESMTP id <20150522235953gw1000cebue>; Fri, 22 May 2015 23:59:54 +0000
X-Originating-IP: [135.110.240.65]
Message-ID: <555FC2F6.5070106@att.com>
Date: Fri, 22 May 2015 19:59:50 -0400
From: Tony Hansen <tony@att.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Vincent Roca <vincent.roca@inria.fr>, IESG <iesg@ietf.org>, secdir@ietf.org, draft-hansen-scram-sha256@tools.ietf.org
References: <8B34786B-0A64-4566-BC35-12813DECE910@inria.fr>
In-Reply-To: <8B34786B-0A64-4566-BC35-12813DECE910@inria.fr>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="e2XcTVDATc53SWCm9OdaEwIk4G32fuO7J"
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-AnalysisOut: [v=2.0 cv=b/AFFK6x c=1 sm=1 a=VXHOiMMwGAwA+y4G3/O+aw==:17 a]
X-AnalysisOut: [=5hWoPXNsKEoA:10 a=ZXRAoOSSXYMA:10 a=BLceEmwcHowA:10 a=zQP]
X-AnalysisOut: [7CpKOAAAA:8 a=h1PgugrvaO0A:10 a=gcibvM-JMz0v0nNIYKMA:9 a=Q]
X-AnalysisOut: [EXdDO2ut3YA:10 a=u2wq3K9QzYlkO4H3ShsA:9 a=_W_S_7VecoQA:10 ]
X-AnalysisOut: [a=j4nzMFrpAAAA:8 a=eOac07LCoXfVKgWTNaYA:9]
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2014051901)]
X-MAIL-FROM: <tony@att.com>
X-SOURCE-IP: [144.160.229.23]
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/HHwLfuw2fmTJTo9KK_61rvmlZ48>
X-Mailman-Approved-At: Fri, 22 May 2015 18:11:01 -0700
Subject: Re: [secdir] Secdir review of draft-hansen-scram-sha256-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 May 2015 00:01:29 -0000
On 5/13/15 6:32 AM, Vincent Roca wrote:
> Hello,
>
> I have reviewed this document as part of the security directorate’s
> ongoing
> effort to review all IETF documents being processed by the IESG. These
> comments were written primarily for the benefit of the security area
> directors. Document editors and WG chairs should treat these comments
> just
> like any other last call comments.
>
>
> *Summary: ready with minor issues
> *
>
>
> This document records the SHA-256 variants of SCRAM SASL mechanisms.
> As it complements RFC 5802, the authors refer to its security section:
> "The security considerations from [RFC5802] still apply."
>
> I have no objection as RFC 5802 security section seems well documented
> (I'm not an expert of the domain however).
>
> That being said, I have two comments:
>
> - there is no mention of the motivation for moving from SHA-1 to SHA-256.
> I think the security section is a nice place for that, and the
> authors can easily
> refer to RFC 4270 and RFC 6194 (there may be other references too that
> I’m not aware of).
>
> - RFC 2119 is missing from the Normative References. Please add it.
> [R2119] Bradner, S., "Key words for use in RFCs to Indicate
> Requirement Levels", BCP 14, RFC 2119, March 1997.
> I also think that RFC 4422 should be moved to the Normative References
> as it is a mandatory to read reference for the present document.
>
Vincent, thank you for your review.
I've added the RFC2119 reference and moved 4422 to Normative.
I've added a reference to RFCs 4270 and 6194 in the security section.
Tony