[Standards] IETF SASL WG meeting

Dave Cridland dave at cridland.net
Mon Dec 10 10:18:08 CST 2007 

On Fri Dec  7 00:36:04 2007, Peter Saint-Andre wrote:
> Dave Cridland wrote:
> > Just a quick note on the just-ended SASL WG meeting at IETF70,  
> which I
> > listened to and read through on the chatroom. Of importance to  
> XMPP/XSF:
> > > DIGEST-MD5 is likely to be made historic soon - the document  
> will be
> > going to working group last call very shortly. This is okay, I  
> think as...
> 
> I don't think we have strenuous objections from the XMPP community,
> though I wish we'd known back in ~2003 that it would be  
> deprecated....
> 
> 
There being no interoperable standard for crystal balls, I don't  
think this could have been avoided.


> > SCRAM is looking near completion, 
> That is:
> 
> http://www.tools.ietf.org/html/draft-newman-auth-scram-04
> 
> 
Indeed.


> > however there is a significant
> > proportion of the WG which would like to see it as a GS2 (ie,  
> GSSAPI)
> > mechanism, exposed through SASL. I'm personally a little nervous  
> about
> > this, I'm thinking in particular that this may cause additional
> > implementation complexity. If you have a strong opinion either  
> way, you
> > may wish to join the WG and make your feelings known.
> 
> I'm not knowledgeable enough to have strong feelings yet, though
> naturally I prefer to minimize complexity. :)
> 
> 
Well, I'm told it can be done by wrapping (or possibly simply  
prepending) the messaging with some gunk, which'll then magically  
transform it into GS2-XYZ, where XYZ is a partial hash of the  
mechanism's OID represented in DER. (The name is fixed, it's just  
really ugly).


> > There was also a discussion about legacy authentication  
> mechanisms, and,
> > in particular, how clients ought to choose between (for example) a
> > legacy plaintext mechanism like XEP-0078 and SASL PLAIN. The  
> consensus
> > seemed to be that it's up to the protocol to tell clients what to  
> do. I
> > think XEP-0078 covers us for this - it clearly states it's  
> deprecated -
> > but we may want to review that and double-check.
> 
> I didn't see that in the logs.
> 
> 
A lot of it was barely audible on the audio stream, either, due to  
people not understanding that people need to speak into the  
microphone. It's mentioned as "legacy protocol" occasionally, and  
relates mostly to IMAP LOGIN and LDAP's Simple Bind, and whether IMAP  
clients should favour IMAP's in-built LOGIN over AUTHENTICATE PLAIN,  
and similarly LDAP's Simple Bind over a SASL Bind with PLAIN.

As I say, I think we're already covered by this - in particular,  
conformant XMPP clients should be using SASL PLAIN over XEP-0078.


> > Finally, I had an interesting chat with Nico Williams on channel
> > binding, which might help people understand that area of security  
> a
> > little better. It's at the end of the logs, which I can't quite  
> recall a
> > URL for, but I'll dig one out if anyone wants it.
> 
> Any chance that someone will write up the results of that exchange  
> into
> more readable text? Perhaps rfc5056bis is already on the way? ;-)

Maybe http://blog.dave.cridland.net/?p=43 might help. Or maybe it  
won't.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the Standards mailing list