Hello, > The IESG has received a request from an individual submitter to consider > the following document: > - 'Adding Support for Salted Password Databases to EAP-pwd' > <draft-harkins-salted-eap-pwd-06.txt> as Informational RFC Kathleen Moriarty as the shepherding AD has asked me in my function as doc shepherd to point the community to one particular statement in Security Considerations: There is a paragraph starting with the sentence: "EAP-pwd sends the salt in the clear." The basic question behind that whole paragraph is: is this an issue at all? The salt itself is not very critical information; the (salted) password itself never is transmitted over the wire with EAP-pwd even. So, there is a small, but non-zero amount of meta-information about the password salting that can be learned by adversaries on the wire. We've had some discussion whether it is worth noting this in Sec Con at all; or if that's already overkill. The new (and maybe even unprecedented) aspect here is that salts are usually local pieces of information inside a password database which do not move or are exposed at all. Here they are, and in cleartext. So, there is a paragraph in the draft now, but it can go away if it's superfluous. If you have any substantial comment about this, please let the list know. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature