[secdir] Secdir review of draft-hansen-scram-sha256-02
Vincent Roca <vincent.roca@inria.fr> Wed, 13 May 2015 10:32 UTC
Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F82C1B2AB5; Wed, 13 May 2015 03:32:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.559
X-Spam-Level:
X-Spam-Status: No, score=-6.559 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5RQZ9jZAnr8s; Wed, 13 May 2015 03:32:44 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A89551B2AB6; Wed, 13 May 2015 03:32:43 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.13,420,1427752800"; d="asc'?scan'208,217";a="118493947"
Received: from geve.inrialpes.fr ([194.199.24.116]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-SHA; 13 May 2015 12:32:41 +0200
From: Vincent Roca <vincent.roca@inria.fr>
X-Pgp-Agent: GPGMail 2.5b6
Content-Type: multipart/signed; boundary="Apple-Mail=_4A281209-FCE8-4E59-A4DE-6B37F134C1C1"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Date: Wed, 13 May 2015 12:32:40 +0200
Message-Id: <8B34786B-0A64-4566-BC35-12813DECE910@inria.fr>
To: IESG <iesg@ietf.org>, secdir@ietf.org, draft-hansen-scram-sha256@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/lgsg5PXGj0w_J9q3Czy62Znm7EM>
Subject: [secdir] Secdir review of draft-hansen-scram-sha256-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2015 10:32:46 -0000
Hello,
I have reviewed this document as part of the security directorate’s ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just
like any other last call comments.
Summary: ready with minor issues
This document records the SHA-256 variants of SCRAM SASL mechanisms.
As it complements RFC 5802, the authors refer to its security section:
"The security considerations from [RFC5802] still apply."
I have no objection as RFC 5802 security section seems well documented
(I'm not an expert of the domain however).
That being said, I have two comments:
- there is no mention of the motivation for moving from SHA-1 to SHA-256.
I think the security section is a nice place for that, and the authors can easily
refer to RFC 4270 and RFC 6194 (there may be other references too that
I’m not aware of).
- RFC 2119 is missing from the Normative References. Please add it.
[R2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
I also think that RFC 4422 should be moved to the Normative References
as it is a mandatory to read reference for the present document.
Cheers,
Vincent