XAUTH Bashing (was Re: Results of protocol straw poll)

["Stephane Beaulieu" <stephane@xxxxxxxxx>]

Hi All,

I know this is not the proper forum to discuss Xauth issues, but someone
else raised them, so I will politely respond, and encourage any further
comments on Xauth, or more specifically its implementation details or
security concerns (those that are VALID at least) to be discussed on
ietf-xauth@xxxxxxxx

"Scott G. Kelly" <skelly@xxxxxxxxxxxx> wrote:

>
> It is clear that xauth is trivially susceptible to DoS attacks, among
> other things, and that should be a strong incentive against implementing
> it.

Scott,
You often wildly make these kinds of allegations against XAUTH, yet you've
never demonstrated or discussed the rationale behind them.  Would you care
to share these with me please (preferably on the ietf-xauth@xxxxxxxx mailing
list).  I think it is important that you do this, because, for some reason,
some people actually believe you, and then they send me emails asking when
I'm going to fix these problems in the draft.  Of, course, I have no idea
what they are talking about.  DoS attacks?  Please explain.  This is the
first of heard of it.

P.S. Just to make my position clear on Xauth (w/regards to this WG).  Even
though I am the author, I don't think that Xauth is the best solution for
this problem.  I think the models of Hybrid or CRACK are much better than
all the other candidates.  I specifically prefer Hybrid because it will
allow me to re-use much of the code base I already have.  Hybrid is actually
VERY trivial once you already have Xauth.

Stephane.