Simple Authentication and Security Layer (sasl)
-----------------------------------------------

 Charter
 Last Modified: 2008-10-28

 Current Status: Active Working Group

 Chair(s):
     Kurt Zeilenga  <kurt.zeilenga@isode.com>
     Tom Yu  <tlyu@mit.edu>

 Security Area Director(s):
     Tim Polk  <tim.polk@nist.gov>
     Pasi Eronen  <pasi.eronen@nokia.com>

 Security Area Advisor:
     Pasi Eronen  <pasi.eronen@nokia.com>

 Mailing Lists: 
     General Discussion:ietf-sasl@imc.org
     To Subscribe:      ietf-sasl-request@imc.org
         In Body:       subscribe
     Archive:           http://www.imc.org/ietf-sasl/mail-archive/

Description of Working Group:

The Simple Authentication and Security Layer [RFC4422] provides key
security services to a number of application protocols including BEEP,
IMAP, LDAP, POP, and SMTP. The purpose of this working group is to
shepherd SASL, including select SASL mechanisms, through the Internet
Standards process.

This group will work to progress the SASL Technical Specification
toward Draft Standard.

The group has determined that DIGEST-MD5 [RFC2831] is not suitable for
progression on the Standards Track due to interoperability,
internationalization, and security concerns. The group will deliver a
technical specification for a suitable password-based challenge/
response replacement mechanism for Standard Track consideration.

The replacement mechanism is expected to be "better than" DIGEST-MD5
from a number of perspectives including interoperability,
internationalization, and security. The replacement mechanism is not
expected to (but may) provide a security layer itself, instead relying
on security services provided at a lower layer (e.g., TLS) and channel
bindings. The WG is expected to strike a consensus-supported balance
between the many qualities desired in the replacement. Desired
qualities include (but are not limited to) negotiated key hardening
iteration count, downgrade attack protection, and mutual authentication.
The group intends to consider a number of approaches, including
draft-newman-auth-scam and draft-josefsson-password-auth, as input.
Additionally, the WG will deliver a document summarizing its
DIGEST-MD5 concerns and requesting RFC 2831 be moved to Historic
status. This document will be based upon draft-ietf-sasl-digest-to-
historic.

This group will deliver a revised Technical Specification suitable for
publication as Proposed Standard for the GSS-API family of SASL
mechanisms. This work will be based upon draft-ietf-sasl-gs2.

The group will produce a successor document for the CRAM-MD5
specification, RFC 2195. The outcome can be a Standards Track
specification replacing RFC 2195, an Informational document moving RFC
2195 to Historic, or an Informational document that documents existing
implementation practice.

The following areas are not within the scope of work of this WG:

- new features,

- SASL Mechanisms not specifically mentioned above, and

- SASL "profiles".

However, the SASL WG is an acceptable forum for review of SASL-related
submissions produced by others as long as such review does not impede
progress on the WG objectives listed above.

 Goals and Milestones:

   Done         Submit revised SASL (+ EXTERNAL) I-D 

   Done         Submit revised SASL ANONYMOUS I-D 

   Done         Submit revised SASL PLAIN I-D 

   Done         Submit revised SASL CRAM-MD5 I-D 

   Done         Submit revised SASL DIGEST-MD5 I-D 

   Done         Submit revised SASL GSSAPI I-D 

   Done         Submit SASL (+ EXTERNAL) to the IESG for consideration as a 
                Proposed Standard 

   Done         Submit GSSAPI to IESG for consideration as a Proposed Standard 

   Done         Initial I-D for RFC4422bis 

   Done         Initial I-D for DIGEST-MD5 to Historic 

   Done         WGLC I-D for DIGEST-MD5 to Historic 

   Done         Initial DIGEST-MD5 replacement I-D 

   Done         Initial GS2 I-D 

   Nov 2008       Initial RFC4422bis implementation report 

   Nov 2008       Reach consensus on CRAM-MD5 successor approach (and update 
                milestones accordingly) 

   Dec 2008       WGLC RFC4422bis and implementation report I-D 

   Jan 2009       WGLC DIGEST-MD5 replacement I-D 

   Jan 2009       WGLC GS2 I-D 


 Internet-Drafts:

Posted Revised         I-D Title   <Filename>
------ ------- --------------------------------------------
Jun 2003 Jul 2008   <draft-ietf-sasl-crammd5-10.txt>
                The CRAM-MD5 SASL Mechanism 

Feb 2006 Jul 2008   <draft-ietf-sasl-gs2-10.txt>
                Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family 

Jul 2008 Jul 2008   <draft-ietf-sasl-digest-to-historic-00.txt>
                Moving DIGEST-MD5 to Historic 

Aug 2008 Aug 2008   <draft-ietf-sasl-4422bis-00.txt>
                Simple Authentication and Security Layer (SASL) 

 Request For Comments:

  RFC   Stat Published     Title
------- -- ----------- ------------------------------------
RFC4013Standard  Mar 2005    SASLprep: Stringprep profile for user names and 
                       passwords 

RFC4422 PS   Jun 2006    Simple Authentication and Security Layer (SASL) 

RFC4505 PS   Jun 2006    Anonymous Simple Authentication and Security Layer 
                       (SASL) Mechanism 

RFC4616 PS   Aug 2006    The PLAIN Simple Authentication and Security Layer 
                       (SASL) Mechanism 

RFC4752 PS   Nov 2006    The Kerberos V5 (