Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and password length
Heikki Vatiainen <hvn@radiatorsoftware.com> Fri, 27 January 2023 12:56 UTC
Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D02BAC14F72D for <emu@ietfa.amsl.com>; Fri, 27 Jan 2023 04:56:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vZ2c3HhKWRMY for <emu@ietfa.amsl.com>; Fri, 27 Jan 2023 04:56:24 -0800 (PST)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 207D9C14E515 for <emu@ietf.org>; Fri, 27 Jan 2023 04:56:23 -0800 (PST)
Received: by mail-ej1-x630.google.com with SMTP id me3so13468553ejb.7 for <emu@ietf.org>; Fri, 27 Jan 2023 04:56:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=49rSfvdFUw/HBZAKSZWsSkoogzAVfO1IPq8mZZ4XnbE=; b=0bWF+FPUCTrNmTuId4WRo3Dso8BQHuXijHtyeAUVrImPPw+YCOWFuwg2TtxRzXxaXF HNCVO8RxCknC37j9nWeqfo8JJQ88uu31EByrchbs1w/UPj2Iud763QSQUlqA9kSC5Eor vwSdFGSqxWJKrW6EXafmQiI4jYo+Vo4o91Fx++kti4n4pTYTiC6xjH08gCvXIO7cGGyP kgmiAUEwVdb6DzcGiIWSyALPK0UPzP+doxGDTStXcLmsmaz8qUL/gdXj+Sf8V7twiaHk NN4M3o/S6/Lk7pwdi2SwLSUHt0D4b2+zO4ljM7XB4hzvNN6r0GAEb/rJAyn2Hw1F55gI ROBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=49rSfvdFUw/HBZAKSZWsSkoogzAVfO1IPq8mZZ4XnbE=; b=qTszHbTcziu8YZ6x77wILV8kuQ4QZZQtaQrjNUnGj2AlyAqRPDIPimT+EhyBJ03ZUj 1aqcM1Jq3c0+NfKTqbkRdPqODFZUopKte3dyQ/Im5TgCRUESyIllR38ht755secDRO4T OFAwzU66I8s6YLiJ4FYV2m66AZ0g0zwT6MAE2yZk/pRKUGB8SK3HHGPhGEsgL+cVnQZ1 zp2x68a8Js3df47gcO5gFgzj2DZKqBiBfvZoyPhBEJx/ZJfJBGBQZlPlGMDOLfMnzM7o XKXSsgS2GdJPMU9s+zemXqr0AcDYWtpKfeClGlVro/MM2bjMAJIlR45Ev87O8/93xxtb Aubg==
X-Gm-Message-State: AFqh2kpReXYIMKv9m2LQyEO3KxAGhvySOngD7zxkYRhnzRkPrcMEL9XC 4R8yWLYC4fngQ/vfv4Enb1fZuxPJsvnolg/BofDA3f3Veb8vZkn6
X-Google-Smtp-Source: AMrXdXvo6M7HP4piIKxAU1UAwXUkXzHafKfmKi1XphEEoQ55UCU12T379JL/V3hJhCtsd/pR5/2054EDcqNESP7qsn8=
X-Received: by 2002:a17:906:5290:b0:7c0:b56a:eadf with SMTP id c16-20020a170906529000b007c0b56aeadfmr6419955ejm.271.1674824182291; Fri, 27 Jan 2023 04:56:22 -0800 (PST)
MIME-Version: 1.0
References: <9A85E1BF-4CBF-4D3F-98F9-A07D496F7759@deployingradius.com> <DB6PR0701MB304746750BFA21068CB8B23489CE9@DB6PR0701MB3047.eurprd07.prod.outlook.com> <CAA7Lko8=kJnqpB-YNFVTs=E0mpCrcOsEpRePvwkGp-h8dDdw9g@mail.gmail.com> <159d378b-06f4-cf12-edc1-41dcbcf67541@lear.ch>
In-Reply-To: <159d378b-06f4-cf12-edc1-41dcbcf67541@lear.ch>
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Fri, 27 Jan 2023 14:56:06 +0200
Message-ID: <CAA7Lko-qKqpBLnU2gP4Pos-Y1F48+mxYU06y-0etrw6uRMZMVQ@mail.gmail.com>
To: EMU WG <emu@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/LKXnaoAjV3-lcQCROnD6e--VlVY>
Subject: Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and password length
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jan 2023 12:56:24 -0000
On Fri, 27 Jan 2023 at 13:30, Eliot Lear <lear@lear.ch> wrote: >> On 27.01.23 12:17, Heikki Vatiainen wrote: >> >> For example, an OTP system could do this: >> - Start authentication with username + static password; if ok then >> - Server prompts for the next method: Choose 1 for push to mobile app, >> 2 for telephone callback, 3 for emergency use pre-printed code. Leave >> password empty for the default method (not mandatory: can always >> choose one of 1-3). >> - The next server response then depends on what was chosen by the user >> >> The above may need to run as one exchange without any >> Intermediate-Result TLV between static password and OTP dialogue >> because it gets proxied as Radius PAP to "Inner Method server" as >> described in section 2.1 of the draft > Hold the phone on this. That's not how Jouni's code works, and that's not what we just agreed to on the calls. Jouni's code has something of a filler intermediate-result and CB, and we just agreed that everything should have that. Now, I am still not a fan of that decision, but it's what we decided. Do we need to revisit? Revisit was not intended, my intention was to give some examples of why various uses of Basic-Password-Auth-Resp TLV and how it sometimes carries information other than password. I may have gotten the sequencing incorrectly with my example above. My understanding is that the "housekeeping" functionality, or any other variation of multi-round inner password authentication, means that Basic-Password-Auth-Req <--> Basic-Password-Auth-Resp exchange is done multiple times before a single inner password authentication method is considered completed and an Intermediate-Result TLV and Crypto-Binding TLV are needed. I'll need to check the previous discussion about filler Intermediate-Result and CB. When strictly reading the RFC and draft, it doesn't talk about multi-round inner password authentication, but I guess this is supported? -- Heikki Vatiainen hvn@radiatorsoftware.com
- [Emu] draft-ietf-emu-rfc7170bis-03.txt and passwo… Alan DeKok
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… John Mattsson
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… Eliot Lear
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… Alan DeKok
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… Alan DeKok
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… Eliot Lear
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… Alan DeKok
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… Eliot Lear
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… Alan DeKok
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… Eliot Lear
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… Alan DeKok
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… Heikki Vatiainen
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… Eliot Lear
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… Heikki Vatiainen
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… Heikki Vatiainen
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… Alan DeKok
- Re: [Emu] draft-ietf-emu-rfc7170bis-03.txt and pa… Alan DeKok