sasl@conference.ietf.jabber.com - 2003/03/20

[08:45] %% logger has arrived.
[14:07] %% kmurchison has arrived.
[14:09] %% hartmans has arrived.
[14:15] %% mrose has arrived.
[14:17] <hartmans> If people think it would be useful then someone should agree to subscribe for jabber.
[14:18] <mrose> that would be great, thanks!
[14:18] <hartmans> Although right now it seems like we have rather limited attendance via jabber
[14:22] %% rjs3 has arrived.
[14:23] <rjs3> I suppose I can scribe for jabber
[14:23] <mrose> thanks!
[14:23] <rjs3> Base Document: Not very contriversial, especially with the i18n stuff punted to the mechs and the profiles
[14:24] <rjs3> hartmans: Unclear that the security considerations will pass
[14:24] %% jhutz has arrived.
[14:26] <jhutz> Sam, if you want I will try to give the security considerations section a once-over on the trip home
[14:26] <rjs3> Kurt: I think its clear that John doesn't have enough time for this, sam and I will chat about getting a new editor
[14:26] <rjs3> (will get back to the mailing list quickly)
[14:27] <rjs3> next agenda item: anonymous last call
[14:27] <rjs3> a few issues were raised re: it is missing some features that some people might like (e.g. realms).
[14:27] <rjs3> we should add more text to explain those features aren't there and the traceback info is NOT for any real use
[14:28] <rjs3> Despite this document's readiness we probably will wait for other documents before sending to IESG
[14:28] <rjs3> PLAIN/SASLprep issues
[14:28] <rjs3> Kurt: Not too contentious, only needs addition of the saslprep profile
[14:28] <rjs3> we probably want a little more review of this
[14:29] <rjs3> other issues?
[14:29] %% leg has arrived.
[14:29] <rjs3> Chris newman: it would be nice if the stringprep profile had information as to how it varies from nameprep
[14:30] <rjs3> kurt: they differ because nameprep only deals with the tokens of the name (prohibits dots and ats), and is more restrictive on allowed characters in identifiers, and is case insensitive
[14:30] <rjs3> chris: this should be pointed out in the draft
[14:31] <rjs3> larry: we should definately give specific instructions in the draft
[14:31] <hartmans> who is speaking?
[14:31] <rjs3> chris newman
[14:31] <rjs3> previous speaker was larry greenfield
[14:33] <rjs3> continued discussion on applicability of various profiles
[14:35] <rjs3> kurt: with stringprep all we want is that matching will work, we don't want to specify specific formats
[14:35] <rjs3> larry: we want to avoid different preparations for each of the strings in the PLAIN response
[14:36] <rjs3> discussion to be continued on the list
[14:36] <rjs3> (or at the bar)
[14:36] <rjs3> Other issue with SASLprep: the profile is similar to what the Kerberos WG has as a profile.
[14:36] <rjs3> we should look at if we can share one profile instead of uising two
[14:37] %% hildjj has arrived.
[14:37] <rjs3> Moving on to DIGEST-MD5
[14:38] <rjs3> (alexey is gathering notes, back to plain for a sec)
[14:38] <rjs3> kurt: one thing with this draft is that all preparation is happening on the server side
[14:38] <rjs3> larry: this only works for plain
[14:39] <rjs3> jeff: now there are clients which need to determine when they do stringprep (based on mech)
[14:39] <rjs3> larry: really, this just results in everyone doing stringprep everywhere
[14:39] <rjs3> Ok, on to DIGEST-MD5 for real
[14:39] <rjs3> 3 issues:
[14:39] <rjs3> (1) do we want to put AES cipher document in with the main document?
[14:40] <rjs3> (2) should we drop DES and 3DES and replace CBC mode to fix that attack
[14:40] <rjs3> (3) DES interop hasn't been so goo
[14:40] <rjs3> er, good
[14:41] <rjs3> (discussion about [2])
[14:42] <rjs3> (argument against depricating) this is relatively easy to fix, so we need a better reason than the attacks
[14:43] <rjs3> hartmans: given that we lack interop, and there are problems with the cipher, its not unreasonable to just drop the cipher
[14:44] %% rlbob has arrived.
[14:44] <hartmans> I hope someone else caught that.
[14:45] <rjs3> Basically, its not much more work to specify both a working DES and 3DES implementation as long as we're specifying AES anyway
[14:47] <rjs3> hartmans: I don't think we should work on DES if none of the vendors are interested.
[14:48] <rjs3> kurt: we need expert review of security issues of existing specification ("is it broken or not")
[14:48] %% wcw has arrived.
[14:49] <rjs3> Chris Allen: 3DES and DES are well understood and often attacked, so we understand what tweaks are needed. AES hasn't had nearly the exposure to the real world.
[14:50] <rjs3> additionally, using DES gives us the advantage of work done by the rest of the IETF which is using DES
[14:50] <rjs3> Chris Newman: proposal: if 3des can be fixed, we leave it in the spec with whatever implementation guidence it needs. Depricate DES, and make RC4 mandatory to implement.
[14:51] <rjs3> is RC4 in DIGEST vulnerable to standard attacks (we don't know)
[14:51] <rjs3> hartmans: we need to evaluate the security of RC4 before we can make it mandatory to implement
[14:52] <rjs3> hartmans is willing to take the security evaluation as an action item
[14:52] <rjs3> Eric will also volunteer to do the analysis
[14:53] %% warlord has arrived.
[14:53] %% harumph has arrived.
[14:53] <rjs3> is anyone interested in implementing a new 3DES mode? (not really)
[14:54] <rjs3> (if it is specified and not mandatory to implement) (not really)
[14:54] <rjs3> otherwise, alexey needs to add saslprep to the document and it should be ready to last call
[14:54] <rjs3> (saslprep changes are obviously independent of the security reviews)
[14:55] <rjs3> CRAM-MD5
[14:55] <rjs3> Alexey Again. It basically requires adding saslprep and it is done, but Lyndon needs text/help.
[14:55] <rjs3> alexey will send the digest text to lyndon to use as a base
[14:56] <rjs3> otherwise basically ready for last call
[14:56] <rjs3> GSSAPI
[14:56] <rjs3> Alexey yet again.
[14:56] <rjs3> Old draft expired. there was a proposal to split base32 to a separate document
[14:56] <rjs3> otherwise it should be ready. yes, both documents exist
[14:57] <rjs3> alexey can take care of getting this stuff done. We need to choose a new editor here (kurt and sam will talk to people after)
[14:58] <leg> document is draft-josefsson-base-encoding-04.txt
[14:59] <rjs3> no other issues with GSSAPI document. but it needs some review anyway
[14:59] <rjs3> We will last call it, but it will be a 4 week last call
[14:59] <rjs3> Individual Submissions.
[15:00] <rjs3> Alexey once more.
[15:00] <leg> alexey likes talking
[15:00] <rjs3> Had a recent discussion with authors of SRP document, and they'd like to last call it after adding stringprep. It should be reviewed within the WG.
[15:01] <rjs3> The authors should post the draft to the mailing list to get the review done
[15:02] <rjs3> Alexey is maintaining a web page about various implementations. Got a request about CRAM-SHA1 mechanism. We might want to think about documenting it as Informational.
[15:02] <rjs3> Shouldn't be a WG item, but we will review it if they ask
[15:03] <rjs3> Larry: we shouldn't encourage this because it gains you nothing over CRAM-MD5.
[15:03] <rjs3> Kurt: there should be an applicability statement
[15:03] <rjs3> Kurt: let's see what they come up with and we'll be willing to look at it
[15:04] <leg> and alexey better not help them
[15:04] <rjs3> Also co-authoring SASL C API draft. I can post a list of open issues to a list.
[15:04] <rjs3> Find alexey or send him email if you're interested
[15:05] <rjs3> Kurt: feel free to use the WG's list to discuss the API. if it become troublesome we'll stop you
[15:05] <rjs3> SASL HTTP document. A few comments were posted on latest revision that I didn't have time to reply to.
[15:05] <rjs3> (alexey) is willing to discuss it with people afterwords
[15:05] <rjs3> Any other IDs?
[15:06] <rjs3> Open Mic.
[15:06] <rjs3> That's all for the WG business.
[15:06] <rjs3> We should be done with most things by vienna if we stay on the ball
[15:06] <rjs3> Go get some cookies
[15:08] <mrose> many thanks for the scribing
[15:09] %% harumph has left.
[15:10] %% hildjj has left.
[15:14] %% kmurchison has left.
[15:17] %% kmurchison has arrived.
[15:17] %% kmurchison has left.
[15:18] %% leg has left.
[15:25] %% warlord has left.
[15:29] %% mrose has left.
[15:32] %% rjs3 has left.
[15:49] %% wcw has left.
[15:54] %% hartmans has left.
[16:15] %% jhutz has left.
[16:23] %% rlbob has left.
[16:45] %% leg has arrived.
[16:45] %% leg has left.
[18:07] %% rlbob has arrived.
[18:07] %% rlbob has left.