Simple Authentication And Security Layer (SASL) IETF75, Stockholm, Sweden Monday, July 27, 15:20--17:20 ============================= Chairs: Tom Yu Kurt Zeilenga Scribe: Peter Saint-Andre Jabber: http://jabber.ietf.org/logs/sasl/2009-07-27.txt Audio: ftp://videolab.uoregon.edu/pub/videolab/media/ietf75/ietf75-mon-rm300-pm.mp3 Agenda slides: http://www.ietf.org/proceedings/75/slides/sasl-0.pdf GS2 slide: http://www.ietf.org/proceedings/75/slides/sasl-1.pdf ==================== - draft-ietf-sasl-gs2-14 -- in WGLC - draft-ietf-sasl-scram-02 -- in WGLC - draft-ietf-sasl-4422bis-01 -- not much progress, mostly editorial changes - draft-ietf-sasl-channel-bindings-03 -- some revisions, as side effect of SCRAM/GS2 discussion SCRAM and GS2 are in WGLC (concluding Aug. 3); mostly editorial comments at this point. Simon has demo GS2 implementation. It might be useful to test native SCRAM against SCRAM-as-GS2. Alexey presents some non-controversial changes to be made to SCRAM -- minor ABNF corrections, etc. Some discussion about IANA considerations for SCRAM mechanism registration; are there problems if we specify the WG mailing list for reviewing? Probably not; IESG can always designate an expert. Chris suggests writing guidance about assignments -- growth should be slow. SASL base spec to Draft Standard: 4422bis needs a revised SASLprep. Kurt would revise SASLprep to use Unicode properties and thus be more independent of future Unicode revisions. Will 4422bis have a downref issue due to this? Pasi says that downref may be acceptable because each mechanism must use SASLprep. Drop EXTERNAL from base spec? No consensus either way. Probably not a big deal; could possibly get folded into Simon's external-channel draft. Tom will poll the list about moving EXTERNAL from base spec to Simon's document. Open mic: Leif asks about whether people have thought about a SASL mech for SAML for claims-based authentication. Peter Saint-Andre has talked with people in XMPP community who have some interest in that area. Simon asks about a possible OpenID mech. Cyrus asks about SCRAM in HTTP. On Alexey's todo list; he's willing to review. Love mentions HTTP-Negotiate and SCRAM will just work because SCRAM is also a GSSAPI mech. Peter asks who really uses (in real deployments) security layers. Chris won't implement security layers ever. Chris will attempt to implement channel bindings -- he believes they're important, but has concerns about the channel binding type negotiation. If there's an interop problem with channel bindings, he will drop them completely (and accept the degraded security properties). Simon has heard that SCRAM doesn't have as good security properties as SRP. Any interest in doing SRP as a SASL mech? Milestones: Mar 09 GS2 WGLC -- in progress Mar 09 SCRAM WGLC -- in progress Apr 09 decide CRAM-MD5 approach -- done; Tom will summarize to list Jun 09 4422bis I-D -- initial revisions Oct 09 implementation report Oct 09 4422bis WGLC