[xmpp] RFC3920: SCRAM is an incomplete mechanism name
Jehan Pagès <jehan.marmottard@gmail.com> Sat, 19 June 2010 20:01 UTC
Return-Path: <jehan.marmottard@gmail.com>
X-Original-To: xmpp@core3.amsl.com
Delivered-To: xmpp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5439A3A68EA for <xmpp@core3.amsl.com>; Sat, 19 Jun 2010 13:01:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.301
X-Spam-Level:
X-Spam-Status: No, score=0.301 tagged_above=-999 required=5 tests=[BAYES_50=0.001, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nb2mqz5WDhMV for <xmpp@core3.amsl.com>; Sat, 19 Jun 2010 13:01:23 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 3E55B3A68D9 for <xmpp@ietf.org>; Sat, 19 Jun 2010 13:01:23 -0700 (PDT)
Received: by iwn2 with SMTP id 2so2201518iwn.31 for <xmpp@ietf.org>; Sat, 19 Jun 2010 13:01:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=xSKAyhO11ouKomXCpZIIBvRFL/cYWRYTMPF/5JMUsX8=; b=XjmoYymV7P7A+Cqp2KCDRsjpCGAhEdrI/WHE42cKmmLPnm9AJ/zD07NHUhHjWzLDf0 GFEZwDl1F7Sw64aG1h8nczzHRX8gHWTDyyD3buBHZcCc2R28RVYqUBgplnKxQUvcPe05 3eiIPLzH9CwLzmXD5hpjwRQ0s+JcxC1jEeR9Q=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=JI9CV3xHpAwQRQ9Drdd1EqU2lhDrfUvoYx5WHXMKqxw+paODdpx8rVVqON5MxAbNU3 f03Us0amz1h0VWHwiLaRQ1vNPEWp4hZcCZqAxZaO9tZ49HyF6C8aok/hMMLMr8j2RMfI 6ZqXU+/IlSkikeshd3u5zylfQfGV2+7YGiMEI=
MIME-Version: 1.0
Received: by 10.231.117.90 with SMTP id p26mr2957088ibq.151.1276977686788; Sat, 19 Jun 2010 13:01:26 -0700 (PDT)
Received: by 10.231.35.137 with HTTP; Sat, 19 Jun 2010 13:01:26 -0700 (PDT)
Date: Sun, 20 Jun 2010 05:01:26 +0900
Message-ID: <AANLkTikXqJcDqchHARrCgR5CF1ZfTNHu3Hy19lyYso6E@mail.gmail.com>
From: Jehan Pagès <jehan.marmottard@gmail.com>
To: XMPP <xmpp@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: [xmpp] RFC3920: SCRAM is an incomplete mechanism name
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jun 2010 20:01:24 -0000
Hi, sorry I didn't take enough time lately for reviewing the whole lattest draft. Still I have at least a remark about section "13.8. Mandatory-to-Implement Technologies", the prefered mechanism « the SASL Salted Challenge Response mechanism [SCRAM] » is not a full mechanism name. It needs the underlying hash function. Cf. section 4 of the SCRAM draft ( http://tools.ietf.org/html/draft-ietf-sasl-scram-11#section-4 ): « A SCRAM mechanism name is a string "SCRAM-" followed by the uppercased name of the underlying hash function taken from the IANA "Hash Function Textual Names" registry (see http://www.iana.org), optionally followed by the suffix "-PLUS" (see below). » This is as though we had said that "DIGEST" was our preferred mechanism at the time the DIGEST-MD5 was in the XMPP rfc. This is inexact and too imprecise. Of course we could say "any SCRAM mechanism", but if this is the case, our text should be re-worded this way; because right now, it looks like a XMPP server could advertise a mechanism simply named "SCRAM" which does not exist by itself. Yet I don't think such decision is the best option as it leaves too much possibilities (there are like dozens of hash algorithm). We should probably choose at least one preferred hash function to be used inside SCRAM to make our preferred mechanism (eventually adding than any additional SCRAM mechanism can be considered but not preferred). What do you think of it? This point has never been raised on the list (I must admit I don't read everything)? Jehan P.S.: note that the SCRAM draft asks all SCRAM implementations to implement at least SCRAM-SHA1 for interoperability though we could still decide for another one to be our "preferred" (like at least using an algorithm of the SHA-2 family, or maybe SCRAM-MD5).
- [xmpp] RFC3920: SCRAM is an incomplete mechanism … Jehan Pagès
- Re: [xmpp] RFC3920: SCRAM is an incomplete mechan… Waqas Hussain
- Re: [xmpp] RFC3920: SCRAM is an incomplete mechan… Jehan Pagès
- Re: [xmpp] RFC3920: SCRAM is an incomplete mechan… Florian Zeitz
- Re: [xmpp] RFC3920: SCRAM is an incomplete mechan… Jehan Pagès
- Re: [xmpp] RFC3920: SCRAM is an incomplete mechan… Simon Josefsson
- Re: [xmpp] RFC3920: SCRAM is an incomplete mechan… Peter Saint-Andre
- Re: [xmpp] RFC3920: SCRAM is an incomplete mechan… Simon Josefsson
- Re: [xmpp] RFC3920: SCRAM is an incomplete mechan… Alexey Melnikov
- Re: [xmpp] RFC3920: SCRAM is an incomplete mechan… Peter Saint-Andre