From rick at openfortress.nl  Wed Mar 25 06:38:10 2020
From: rick at openfortress.nl (Rick van Rein)
Date: Wed, 25 Mar 2020 11:38:10 +0100
Subject: PR #602 - Mechanism table update (for now, doc only proposal)
Message-ID: <5E7B3492.3030607@openfortress.nl>

Hello,

This is a note that I posted a Pull Request on Cyrus SASL.  There are a
few serious problems in the mechanism table, and I hope this makes it a
bit more useful for users to decide on what mechanisms to use.

-Rick


In a few steps, I've revised the table of authentication mechanisms.
This table was long overdue for such an update, I think.

I added columns for Post Quantum protection (which is not an issue for
authentication until Quantum Computers actually arrive, unlike for
encryption, but systems change slowly so this is a useful aspect to
document).

I added a column for the current state according to the IANA registry of
SASL mechanism names.

I could not find anything on G2, and am wondering if it might be a
misspelled GS2 name?

I have removed the remark about encryption from MAX SSF, as this is not
considered of value in SASL anymore; it is mostly about authentication
not encryption. I updated the description to reference brute-force
search space instead, and added a value for low password quality and
many-rounds effort on low password quality. The term MAX SSF might
suggest that the password quality can be 128 bit, however, which is one
of many ways in which the whole MAX SSF notion is confusing and perhaps
disinformation.

I edited the MAX SSF column, and am well aware that it is subjective.
Still, it did not reflect reality at all -- Kerberos5 has long
deprecated DES, EXTERNAL is usually based on strong crypto, and so on.

I tried to make separately rejectable/acceptable commits out of this.
Please use that when you (dis)agree with (parts of) this proposal. Any
of these updates would improve the table, IMHO.

From rick at openfortress.nl  Wed Mar 25 06:44:26 2020
From: rick at openfortress.nl (Rick van Rein)
Date: Wed, 25 Mar 2020 11:44:26 +0100
Subject: IETF proposal on HTTP-SASL
Message-ID: <5E7B360A.1040908@openfortress.nl>

Hello,

I have worked on an extension proposal for HTTP with SASL, and will be
presenting the work in IETF next Friday.  This is an online presentation
where I will try to convince the audience of its usefulness, without
getting into all the details.  You are of course welcome to join in.

Meeting info,
https://datatracker.ietf.org/meeting/107/session/secdispatch

Slides,
https://datatracker.ietf.org/doc/slides-107-secdispatch-http-sasl/

Draft,
https://datatracker.ietf.org/doc/draft-vanrein-httpauth-sasl/


FYI, this could be combined with other work to support Realm Crossover
through SASL,
https://tools.ietf.org/html/draft-vanrein-diameter-sasl


Cheers,
 -Rick