IETF Logo Mail Archive

Re: [vwrap] authentication : remove reference to MD5

Meadhbh Hamrick <ohmeadhbh@gmail.com> Tue, 06 April 2010 18:34 UTC

Return-Path: <ohmeadhbh@gmail.com>
X-Original-To: vwrap@core3.amsl.com
Delivered-To: vwrap@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4DA2F3A6AFB for <vwrap@core3.amsl.com>; Tue, 6 Apr 2010 11:34:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.437
X-Spam-Level:
X-Spam-Status: No, score=-2.437 tagged_above=-999 required=5 tests=[AWL=0.163, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 487sMTxY30FJ for <vwrap@core3.amsl.com>; Tue, 6 Apr 2010 11:34:52 -0700 (PDT)
Received: from mail-qy0-f181.google.com (mail-qy0-f181.google.com [209.85.221.181]) by core3.amsl.com (Postfix) with ESMTP id 34E7F3A6A05 for <vwrap@ietf.org>; Tue, 6 Apr 2010 11:30:14 -0700 (PDT)
Received: by qyk11 with SMTP id 11so188685qyk.13 for <vwrap@ietf.org>; Tue, 06 Apr 2010 11:30:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:received:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=zxUpethlSP9JueXk/rTqosgMeWgrHPid5A90y3L0PiM=; b=jYiPHxSuH3R8VbVcBlMQ35pm6SLoDF0iHgZlue+toumWNUj22nddYZ99uFWIaGLrTZ 8xVGV33M/Y5R0fCFySk3tHPivlGlR64LtEoVlH515HJnOjdoupECqSJu7y8MMeklFh9+ +Zy2+75NeFIuNExJBqo73SsPCh1BjLhYUiph0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=PLUVoZugnM5x64pMZ3Tx8UPcFYohOpnvORsBGlsfERz0yA5IWR6Lb/hwNhFffYbpq7 IpKBx6h3lQ3UldA1JrVtYXbzXC2CTRiVdxLimekmHrjrqcmEhC2GgD1DPYj+wKse3XiR aQjhf+sLWEFL+IP0i97cdCVlutk7quJTqvvIg=
MIME-Version: 1.0
Received: by 10.229.247.72 with HTTP; Tue, 6 Apr 2010 11:29:45 -0700 (PDT)
In-Reply-To: <A1AB49D2-D846-4F6C-BDFA-22C5036C4B3B@bbn.com>
References: <v2zb325928b1004060719nadbc4f76h1be1c4463578fc4a@mail.gmail.com> <4BBB7705.4060206@stpeter.im> <A1AB49D2-D846-4F6C-BDFA-22C5036C4B3B@bbn.com>
From: Meadhbh Hamrick <ohmeadhbh@gmail.com>
Date: Tue, 6 Apr 2010 11:29:45 -0700
Received: by 10.229.99.143 with SMTP id u15mr6352106qcn.105.1270578605647; Tue, 06 Apr 2010 11:30:05 -0700 (PDT)
Message-ID: <g2xb325928b1004061129qc1d30285pdeaa71798a66817c@mail.gmail.com>
To: Richard Barnes <rbarnes@bbn.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: vwrap@ietf.org
Subject: Re: [vwrap] authentication : remove reference to MD5
X-BeenThere: vwrap@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Virtual World Region Agent Protocol - IETF working group <vwrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/vwrap>, <mailto:vwrap-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vwrap>
List-Post: <mailto:vwrap@ietf.org>
List-Help: <mailto:vwrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vwrap>, <mailto:vwrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2010 18:34:53 -0000

i don't think we're proposing using digital signatures in the
authentication draft.

i would also point out that "simply adding a VWRAP compatibility
layer" would introduce non-zero engineering costs to both LL and the
OpenSim community. but what is worse, is that it would stray from our
charter.

the objective of this group is, if you will recall, to make standards
for interoperability between hosts that implement a type of virtual
experience we sometimes refer to as "second lifelike." it's not SL,
but something with a similar architecture. it is NOT a compatibility
layer for arbitrary virtual world protocols. we tried that with MMOX,
it did not work.

VWRAP != MMOX.

what i am mostly concerned about is, that if we don't have an idea for
how close we wish to stick to existing implementations, there's no
telling where we'll wind up.

-cheers
-meadhbh
--
meadhbh hamrick * it's pronounced "maeve"
@OhMeadhbh * http://meadhbh.org/ * OhMeadhbh@gmail.com



On Tue, Apr 6, 2010 at 11:07 AM, Richard Barnes <rbarnes@bbn.com> wrote:
>>> okay.
>>>
>>> if we're going to remove VWRAP from all current implementations,
>>
>> What does that mean? I thought we were trying to build VWRAP into
>> implementations, not rip it out. :)
>
> Right, I think the right approach is to think about adding a "VWRAP
> compatibility layer" to existing implementations, and keeping that layer as
> simple as possible (but no simpler!).
>
> That raises the question of where changing hashes falls w.r.t. simplicity.
>  It might seem like you would want to keep MD5 so that the compatibility
> layer wouldn't have to re-hash things.  However, it already seems like
> there's going to be a need for the compatibility layer to translate names,
> which will (presumably) break signatures already.  So since there's already
> need to re-hash, it's not a big deal to re-hash with a different hash
> function.
>
> --Richard
>
>
>
>
>>> i
>>> vote we remove MD5 from the auth spec and replace it with a MIC with
>>> better security properties, like SHA224 or SHA256.
>>
>> +1 to more secure authentication.
>>
>> My quick reading of the authentication draft led me to think that it
>> needed a thorough review, but unfortunately I haven't had time to do
>> that yet.
>>
>> Peter
>>
>> --
>> Peter Saint-Andre
>> https://stpeter.im/
>>
>>
>>
>> _______________________________________________
>> vwrap mailing list
>> vwrap@ietf.org
>> https://www.ietf.org/mailman/listinfo/vwrap
>
> _______________________________________________
> vwrap mailing list
> vwrap@ietf.org
> https://www.ietf.org/mailman/listinfo/vwrap
>

v2.8.7 | Report a Bug | By Email