Re: [Gen-art] IESG telechat Gen-ART review of draft-harkins-salted-eap-pwd-06
Daniel Harkins <dharkins@arubanetworks.com> Wed, 19 October 2016 16:20 UTC
Return-Path: <btv1==100f3309e33==dharkins@arubanetworks.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45BC11294ED for <gen-art@ietfa.amsl.com>; Wed, 19 Oct 2016 09:20:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.332
X-Spam-Level:
X-Spam-Status: No, score=-2.332 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aYm6UT1pSJr9 for <gen-art@ietfa.amsl.com>; Wed, 19 Oct 2016 09:20:07 -0700 (PDT)
Received: from mx02.arubanetworks.com (sjcbarracuda02.arubanetworks.com [104.36.248.60]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A9071294C0 for <gen-art@ietf.org>; Wed, 19 Oct 2016 09:20:06 -0700 (PDT)
X-ASG-Debug-ID: 1476894005-0bce8923fe2fa680001-nPVVhF
Received: from PVM02.arubanetworks.com ([10.44.96.62]) by mx02.arubanetworks.com with ESMTP id 82OHuG83FSoO6jbR (version=TLSv1.2 cipher=AES128-SHA256 bits=128 verify=NO); Wed, 19 Oct 2016 09:20:06 -0700 (PDT)
X-Barracuda-Envelope-From: dharkins@arubanetworks.com
Received: from PWSN02.arubanetworks.com ([fe80::6c58:60ca:c422:ac39]) by PVM02.arubanetworks.com ([fe80::ede6:da8e:28ca:306%15]) with mapi id 14.03.0266.001; Wed, 19 Oct 2016 09:20:05 -0700
From: Daniel Harkins <dharkins@arubanetworks.com>
To: "Dale R. Worley" <worley@ariadne.com>, "gen-art@ietf.org" <gen-art@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "draft-harkins-salted-eap-pwd.all@ietf.org" <draft-harkins-salted-eap-pwd.all@ietf.org>
Thread-Topic: IESG telechat Gen-ART review of draft-harkins-salted-eap-pwd-06
X-ASG-Orig-Subj: Re: IESG telechat Gen-ART review of draft-harkins-salted-eap-pwd-06
Thread-Index: AQHSJoZ3l6W4ixSGgk2nJoGyl9DkrKCv/D8A
Date: Wed, 19 Oct 2016 16:20:05 +0000
Message-ID: <48AF7022-698A-444A-AD5E-CDD88E768B74@arubanetworks.com>
References: <878ttq4c83.fsf@hobgoblin.ariadne.com>
In-Reply-To: <878ttq4c83.fsf@hobgoblin.ariadne.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.16.0.160506
x-originating-ip: [217.124.193.3]
Content-Type: text/plain; charset="utf-8"
Content-ID: <5688BB20E71B7745BC52DDD362800AF1@arubanetworks.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Barracuda-Connect: UNKNOWN[10.44.96.62]
X-Barracuda-Start-Time: 1476894005
X-Barracuda-Encrypted: AES128-SHA256
X-Barracuda-URL: https://mx01.arubanetworks.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at arubanetworks.com
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=7.0 tests=
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.33854 Rule breakdown below pts rule name description ---- ---------------------- --------------------------------------------------
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/plqn3z9ZV0CtswS-NycfzKlh4p4>
Subject: Re: [Gen-art] IESG telechat Gen-ART review of draft-harkins-salted-eap-pwd-06
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2016 16:36:50 -0000
Hi Dale, I have posted an -07 of the draft that addresses all of your comments except the spacing after --. I'll leave that to the taste of the RFC editor. Sorry for the delay but I was waiting on another reviewer's agreement on resolution of his comments. Thanks for your patience. regards, Dan. On 10/14/16, 6:45 PM, "Dale R. Worley" <worley@ariadne.com> wrote: >Document: draft-harkins-salted-eap-pwd-06 >Reviewer: Dale R. Worley >Review Date: 2016-09-05 >IESG Telechat date: 2016-10-27 > >I am the assigned Gen-ART reviewer for this draft. The General Area >Review Team (Gen-ART) reviews all IETF documents being processed by >the IESG for the IETF Chair. Please wait for direction from your >document shepherd or AD before posting a new version of the draft. > >For more information, please see the FAQ at ><http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > >Summary: This draft is basically ready for publication, but has >possible nits that should be considered for fixing before publication. > >Minor issues: > >2.5. Payload Modifications > >The construction of the EAP-pwd-Commit/Request message limits the salt >to 255 octets, or 2040 bits. This probably ought to be mentioned in >section 2.1 where the length of the salt is discussed. > >Is there any reason to be concerned that 2040 bits will be inadequate >in the near-to-medium future? > >Nits/editorial comments: > >Abstract > > It included support for raw keys and RFC2751-style double > hashing of a password but did not include support for salted > passwords. > >I believe that the reference to RFC 2751 is incorrect. Probably what >is meant is RFC 2759 (see the reference thereto in RFC 5931). In any >case, the referenced RFC should be listed as a reference. > >1.1. Background > > Databases of stored passwords present an attractive target for > attack-- get access to the database, learn the passwords. > >Normally, the spacing before and after "--" is the same. There are >also examples of this in sections 2.1 and 5. Perhaps discuss this >with the RFC Editor concerning the meaning the authors want to >associate with this punctuation. > >2.1. Password Pre-Processing > > o TBD8: OpaqueString and a UNIX crypt() ([CRY]) > >Probably change "a UNIX crypt" to "UNIX crypt". > > o TBD5: OpaqueString and a random salt with SHA-1 ([SHS]) > >For TBD5-TBD8, it might be clearer to say "OpaqueString and then ...", >as all of them have a two-phase structure. > >5. Security Considerations > > there is no dictionary attack needed to recover the plaintext > password. > >This is correct but doesn't emphasize the important point. Perhaps > > since the plaintext password need not be recovered, no dictionary > attack is needed > >-- > > While the immediate effect of such a compromise would be the > compromised server, > >I think changing "would be the compromised server" to "would be the >compromise of the server" would make this clearer. > >Dale
- [Gen-art] IESG telechat Gen-ART review of draft-h… Dale R. Worley
- Re: [Gen-art] IESG telechat Gen-ART review of dra… Daniel Harkins