[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Comments on CRACK
> I think you're underestimating the problems of the mode-cfg/xauth
> flaws which have been extensively discussed here and in the new
What would those be?
1 - It encourages the use of weak pre-shared keys. - Perhaps, but this can
easily be fixed in XAUTH. I would still like to get a concensus on this.
2 - It's too complicated to be secure... Please !
3 - Too much known plain text. - All three proposals (XAUTH, CRACK, and ULA
have know plain text.
4 - It's too tightly bound to Cfg. Cfg is a simple protocol. Why invent a
new protocol when one already exist which meets your needs.
I see nothing here that warrants killing a protocol that is currently being
developped, and even deployed by a significant amount of vendors.
> I don't think we're throwing out work. All work done so far was
> experimental with the goal of reaching a good solution. This
> experimentation has led to the discovery of various serious flaws in
> the mode-cfg/xauth solution. These flaws are now being corrected in
> a solution which builds on what has been learned.
> My feeling is that those who are complaining now are doing so for
> marketing reasons rather than doing the Right Thing for security and
> the protocol.
Maybe you're not throwing out work, but many vendors would be... for no good
Once again, if a serious flaw were found in XAUTH and/or Cfg, that couldn't
be easily corrected, then I could see a reason to change paths. However, at
this point, I don't see that.