On Fri Dec 7 00:36:04 2007, Peter Saint-Andre wrote:
Dave Cridland wrote:
> Just a quick note on the just-ended SASL WG meeting at IETF70,
which I
> listened to and read through on the chatroom. Of importance to
XMPP/XSF:
> > DIGEST-MD5 is likely to be made historic soon - the document
will be
> going to working group last call very shortly. This is okay, I
think as...
I don't think we have strenuous objections from the XMPP community,
though I wish we'd known back in ~2003 that it would be
deprecated....
There being no interoperable standard for crystal balls, I don't
think this could have been avoided.
> SCRAM is looking near completion,
That is:
http://www.tools.ietf.org/html/draft-newman-auth-scram-04
Indeed.
> however there is a significant
> proportion of the WG which would like to see it as a GS2 (ie,
GSSAPI)
> mechanism, exposed through SASL. I'm personally a little nervous
about
> this, I'm thinking in particular that this may cause additional
> implementation complexity. If you have a strong opinion either
way, you
> may wish to join the WG and make your feelings known.
I'm not knowledgeable enough to have strong feelings yet, though
naturally I prefer to minimize complexity. :)
Well, I'm told it can be done by wrapping (or possibly simply
prepending) the messaging with some gunk, which'll then magically
transform it into GS2-XYZ, where XYZ is a partial hash of the
mechanism's OID represented in DER. (The name is fixed, it's just
really ugly).
> There was also a discussion about legacy authentication
mechanisms, and,
> in particular, how clients ought to choose between (for example) a
> legacy plaintext mechanism like XEP-0078 and SASL PLAIN. The
consensus
> seemed to be that it's up to the protocol to tell clients what to
do. I
> think XEP-0078 covers us for this - it clearly states it's
deprecated -
> but we may want to review that and double-check.
I didn't see that in the logs.
A lot of it was barely audible on the audio stream, either, due to
people not understanding that people need to speak into the
microphone. It's mentioned as "legacy protocol" occasionally, and
relates mostly to IMAP LOGIN and LDAP's Simple Bind, and whether IMAP
clients should favour IMAP's in-built LOGIN over AUTHENTICATE PLAIN,
and similarly LDAP's Simple Bind over a SASL Bind with PLAIN.
As I say, I think we're already covered by this - in particular,
conformant XMPP clients should be using SASL PLAIN over XEP-0078.
> Finally, I had an interesting chat with Nico Williams on channel
> binding, which might help people understand that area of security
a
> little better. It's at the end of the logs, which I can't quite
recall a
> URL for, but I'll dig one out if anyone wants it.
Any chance that someone will write up the results of that exchange
into
more readable text? Perhaps rfc5056bis is already on the way? ;-)
Maybe http://blog.dave.cridland.net/?p=43 might help. Or maybe it
won't.
Dave.
--
Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
