Re: IESG telechat Gen-ART review of draft-harkins-salted-eap-pwd-06

Daniel Harkins <> Wed, 19 October 2016 16:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 376F112946D for <>; Wed, 19 Oct 2016 09:20:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.332
X-Spam-Status: No, score=-2.332 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4fzFVEoEQqo8 for <>; Wed, 19 Oct 2016 09:20:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 16618128B38 for <>; Wed, 19 Oct 2016 09:20:22 -0700 (PDT)
X-ASG-Debug-ID: 1476894005-0bce8923fe2fa680001-h9jmKw
Received: from ([]) by with ESMTP id 82OHuG83FSoO6jbR (version=TLSv1.2 cipher=AES128-SHA256 bits=128 verify=NO); Wed, 19 Oct 2016 09:20:06 -0700 (PDT)
Received: from ([fe80::6c58:60ca:c422:ac39]) by ([fe80::ede6:da8e:28ca:306%15]) with mapi id 14.03.0266.001; Wed, 19 Oct 2016 09:20:05 -0700
From: Daniel Harkins <>
To: "Dale R. Worley" <>, "" <>, "" <>, "" <>
Subject: Re: IESG telechat Gen-ART review of draft-harkins-salted-eap-pwd-06
Thread-Topic: IESG telechat Gen-ART review of draft-harkins-salted-eap-pwd-06
X-ASG-Orig-Subj: Re: IESG telechat Gen-ART review of draft-harkins-salted-eap-pwd-06
Thread-Index: AQHSJoZ3l6W4ixSGgk2nJoGyl9DkrKCv/D8A
Date: Wed, 19 Oct 2016 16:20:05 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/f.16.0.160506
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Barracuda-Connect: UNKNOWN[]
X-Barracuda-Start-Time: 1476894005
X-Barracuda-Encrypted: AES128-SHA256
X-Virus-Scanned: by bsmtpd at
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=7.0 tests=
X-Barracuda-Spam-Report: Code version 3.2, rules version Rule breakdown below pts rule name description ---- ---------------------- --------------------------------------------------
Archived-At: <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Oct 2016 16:56:49 -0000

  Hi Dale,

  I have posted an -07 of the draft that addresses all of your comments except 
the spacing after --. I'll leave that to the taste of the RFC editor. Sorry for the
delay but I was waiting on another reviewer's agreement on resolution of
his comments. Thanks for your patience.



On 10/14/16, 6:45 PM, "Dale R. Worley" <> wrote:

>Document: draft-harkins-salted-eap-pwd-06
>Reviewer: Dale R. Worley
>Review Date: 2016-09-05
>IESG Telechat date: 2016-10-27
>I am the assigned Gen-ART reviewer for this draft.  The General Area
>Review Team (Gen-ART) reviews all IETF documents being processed by
>the IESG for the IETF Chair.  Please wait for direction from your
>document shepherd or AD before posting a new version of the draft.
>For more information, please see the FAQ at
>Summary:  This draft is basically ready for publication, but has
>possible nits that should be considered for fixing before publication.
>Minor issues:
>2.5.  Payload Modifications
>The construction of the EAP-pwd-Commit/Request message limits the salt
>to 255 octets, or 2040 bits.  This probably ought to be mentioned in
>section 2.1 where the length of the salt is discussed.
>Is there any reason to be concerned that 2040 bits will be inadequate
>in the near-to-medium future?
>Nits/editorial comments:
>   It included support for raw keys and RFC2751-style double
>   hashing of a password but did not include support for salted
>   passwords.
>I believe that the reference to RFC 2751 is incorrect.  Probably what
>is meant is RFC 2759 (see the reference thereto in RFC 5931).  In any
>case, the referenced RFC should be listed as a reference.
>1.1.  Background
>   Databases of stored passwords present an attractive target for
>   attack-- get access to the database, learn the passwords.
>Normally, the spacing before and after "--" is the same.  There are
>also examples of this in sections 2.1 and 5.  Perhaps discuss this
>with the RFC Editor concerning the meaning the authors want to
>associate with this punctuation.
>2.1.  Password Pre-Processing
>   o  TBD8: OpaqueString and a UNIX crypt() ([CRY])
>Probably change "a UNIX crypt" to "UNIX crypt".
>   o  TBD5: OpaqueString and a random salt with SHA-1 ([SHS])
>For TBD5-TBD8, it might be clearer to say "OpaqueString and then ...",
>as all of them have a two-phase structure.
>5.  Security Considerations
>   there is no dictionary attack needed to recover the plaintext
>   password.
>This is correct but doesn't emphasize the important point.  Perhaps
>   since the plaintext password need not be recovered, no dictionary
>   attack is needed
>   While the immediate effect of such a compromise would be the
>   compromised server,
>I think changing "would be the compromised server" to "would be the
>compromise of the server" would make this clearer.