Last Modified: 2005-02-24
|Done||Submit revised SASL (+ EXTERNAL) I-D|
|Done||Submit revised SASL ANONYMOUS I-D|
|Done||Submit revised SASL PLAIN I-D|
|Done||Submit revised SASL CRAM-MD5 I-D|
|Done||Submit revised SASL DIGEST-MD5 I-D|
|Done||Submit revised SASL GSSAPI I-D|
|May 05||Submit SASL (+ EXTERNAL) to the IESG for consideration as a Proposed Standard|
|Jun 05||Submit CRAM-MD5 to IESG for consideration as a Proposed Standard|
|Jul 05||Submit DIGEST-MD5 to IESG for consideration as a Proposed Standard|
|Aug 05||Submit GSSAPI to IESG for consideration as a Proposed Standard|
|Oct 05||Provide implementation report plan (with milestones)|
|Nov 05||Revise charter or conclude|
March 8, 2005
Tom Yu <email@example.com>
Kurt Zeilenga <Kurt@OpenLDAP.org>
* 2222bis needs work and review. May 2005 is considered firm deadline.
* SASLprep is now rfc4013.
* ANON has been approved.
* PLAIN needs minor work on clarity issues.
* CRAM-MD5/DIGEST need review
* GSS expired; need new draft.
Kurt Zeilenga initiated discussion regarding PLAIN. The existing draft is overspecified in some places; there is a desire to not mandate internal representations of identities. The existing pseudocod could be interpreted as prescriptive, despite intent to the contrary. There is some confusion as to whether the mechanism or the application performs identity derivation. Additional discussion to occur on the list.
Kurt recapped the status of rfc2222bis. The document needs additional review. Issues remain regarding identity concepts and terminology, and interfaces between application, mechanism, and implementation need to be clarified. Alexey has expressed a desire for specific text and comments. Kurt will spend more time as a contributor in order to speed progress.
The current WG milestone for rfc2222bis is in May of 2005. Kurt proposes a timeline of:
* March - write changes
* April - WG review, WG last call
* May - submit to IESG
PLAIN will be revised next week
CRAM-MD5 -- about 5 people reviewed it; about 2 people feel that it is ready. Nobody felt that it had outstanding issues. It should be ready to last-call soon.
DIGEST -- needs work. About 2 people have reviewed it. Nobody felt that it was ready to progress yet. DIGEST issues will be brought up on list.
David Perkins brought up an issue about the ISMS effort discovering that EAP is in appropriate for their work. They are considering SASL, but need a means of keying the encryption of UDP traffic. Some discussion ensued about two possible approaches: the proposed GSSAPI extension approach of exporting key data, and the SSH approach of performing a protected key agreement underneath an authenticated security layer.
Some discussion ensued about details of DIGEST. Philip Guenther asked if the current definition in the draft has anything in common with the original. Some interest in starting over from scratch. Chris Newman notes that the original intent of DIGEST was to allow hash-based authentication methods across different applications to share a database with HTTP. Phil says that there appears to be a non-intersection of required functionality between the old DIGEST and the new spec.
Sam points out that in practice nobody implemented the old DIGEST correctly, as it wasn't possible to be both secure and conforming to the old specification. Implementations of the old specification are compatible with the new protocol, though. Similar problems have arisen in the Kerberos and Kitten spaces.
* CRAM-MD5 - WG last call
* DIGEST - bring issues to list
* PLAIN - week of Mar 14 - changes written - Kurt
* GSS - week of Mar 14 - new draft - Alexey
* rfc2222bis - Mar 2005 - changes written - Kurt
* rfc2222bis - Apr 2005 - review/WG last call
* rfc2222bis - May 2005 - submit to IESG