2.6.14 Simple Authentication and Security Layer (sasl)

NOTE: This charter is a snapshot of the 62nd IETF Meeting in Minneapolis, MN USA. It may now be out-of-date.

Last Modified: 2005-02-24


Tom Yu <tlyu@mit.edu>
Kurt Zeilenga <kurt@openLDAP.org>

Security Area Director(s):

Russell Housley <housley@vigilsec.com>
Sam Hartman <hartmans-ietf@mit.edu>

Security Area Advisor:

Sam Hartman <hartmans-ietf@mit.edu>

Mailing Lists:

General Discussion: ietf-sasl@imc.org
To Subscribe: ietf-sasl-request@imc.org
In Body: subscribe
Archive: http://www.imc.org/ietf-sasl/mail-archive/

Description of Working Group:

The Simple Authentication and Security Layer [RFC2222] provides key
security services to a number of application protocols including BEEP,
IMAP, LDAP, POP, and SMTP. The purpose of this working group is to
shepherd SASL, including select SASL mechanisms, through the Internet
Standards process.

This group will deliver a revised SASL Technical Specification
suitable for consideration as a Draft Standard. This work will be
based upon RFC 2222 and draft-myers-saslrev.

This group will deliver revised Technical Specifications suitable for
consideration as Draft Standards for the following SASL mechanisms:
be based upon RFC 2195, RFC 2222, RFC 2831, draft-zeilenga-sasl-anon,
draft-zeilenga-sasl-plain, draft-nerenberg-sasl-crammd5 and
draft-melnikov-rfc2831bis, and draft-myers-saslrev-xx.txt.

This group will deliver a revised Technical Specification suitable for
publication as Proposed Standard for the GSSAPI family of SASL
mechanisms. This work will be based upon RFC 2222 and

The following areas are not within the scope of work of this WG:

- new features,

- SASL Mechanisms not specifically mentioned above, and

- SASL "profiles".

However, the SASL WG is an acceptable forum for review of SASL-related
submissions produced by others as long as such review does not impede
progress on the WG objectives listed above.

Goals and Milestones:

Done  Submit revised SASL (+ EXTERNAL) I-D
Done  Submit revised SASL ANONYMOUS I-D
Done  Submit revised SASL PLAIN I-D
Done  Submit revised SASL CRAM-MD5 I-D
Done  Submit revised SASL DIGEST-MD5 I-D
Done  Submit revised SASL GSSAPI I-D
May 05  Submit SASL (+ EXTERNAL) to the IESG for consideration as a Proposed Standard
Jun 05  Submit CRAM-MD5 to IESG for consideration as a Proposed Standard
Jul 05  Submit DIGEST-MD5 to IESG for consideration as a Proposed Standard
Aug 05  Submit GSSAPI to IESG for consideration as a Proposed Standard
Oct 05  Provide implementation report plan (with milestones)
Nov 05  Revise charter or conclude


  • draft-ietf-sasl-anon-05.txt
  • draft-ietf-sasl-plain-07.txt
  • draft-ietf-sasl-rfc2831bis-04.txt
  • draft-ietf-sasl-saslprep-10.txt
  • draft-ietf-sasl-rfc2222bis-10.txt
  • draft-ietf-sasl-crammd5-04.txt

    No Request For Comments

    Current Meeting Report

    March 8, 2005

    Tom Yu <tlyu@mit.edu>
    Kurt Zeilenga <Kurt@OpenLDAP.org>


    Document status:

    * 2222bis needs work and review. May 2005 is considered firm deadline.

    * SASLprep is now rfc4013.

    * ANON has been approved.

    * PLAIN needs minor work on clarity issues.

    * CRAM-MD5/DIGEST need review

    * GSS expired; need new draft.

    Kurt Zeilenga initiated discussion regarding PLAIN. The existing draft is overspecified in some places; there is a desire to not mandate internal representations of identities. The existing pseudocod could be interpreted as prescriptive, despite intent to the contrary. There is some confusion as to whether the mechanism or the application performs identity derivation. Additional discussion to occur on the list.

    Kurt recapped the status of rfc2222bis. The document needs additional review. Issues remain regarding identity concepts and terminology, and interfaces between application, mechanism, and implementation need to be clarified. Alexey has expressed a desire for specific text and comments. Kurt will spend more time as a contributor in order to speed progress.

    The current WG milestone for rfc2222bis is in May of 2005. Kurt proposes a timeline of:

    * March - write changes

    * April - WG review, WG last call

    * May - submit to IESG

    PLAIN will be revised next week

    CRAM-MD5 -- about 5 people reviewed it; about 2 people feel that it is ready. Nobody felt that it had outstanding issues. It should be ready to last-call soon.

    DIGEST -- needs work. About 2 people have reviewed it. Nobody felt that it was ready to progress yet. DIGEST issues will be brought up on list.

    David Perkins brought up an issue about the ISMS effort discovering that EAP is in appropriate for their work. They are considering SASL, but need a means of keying the encryption of UDP traffic. Some discussion ensued about two possible approaches: the proposed GSSAPI extension approach of exporting key data, and the SSH approach of performing a protected key agreement underneath an authenticated security layer.

    Some discussion ensued about details of DIGEST. Philip Guenther asked if the current definition in the draft has anything in common with the original. Some interest in starting over from scratch. Chris Newman notes that the original intent of DIGEST was to allow hash-based authentication methods across different applications to share a database with HTTP. Phil says that there appears to be a non-intersection of required functionality between the old DIGEST and the new spec.

    Sam points out that in practice nobody implemented the old DIGEST correctly, as it wasn't possible to be both secure and conforming to the old specification. Implementations of the old specification are compatible with the new protocol, though. Similar problems have arisen in the Kerberos and Kitten spaces.


    action items:

    * CRAM-MD5 - WG last call
    * DIGEST - bring issues to list
    * PLAIN - week of Mar 14 - changes written - Kurt
    * GSS - week of Mar 14 - new draft - Alexey
    * rfc2222bis - Mar 2005 - changes written - Kurt
    * rfc2222bis - Apr 2005 - review/WG last call
    * rfc2222bis - May 2005 - submit to IESG


    None received.