Re: [kitten] Requesting WG adoption of several SCRAM related documents
Alexey Melnikov <alexey.melnikov@isode.com> Mon, 08 November 2021 14:17 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2D0D3A0DCE for <kitten@ietfa.amsl.com>; Mon, 8 Nov 2021 06:17:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.429
X-Spam-Level:
X-Spam-Status: No, score=-5.429 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-3.33, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nozHhThnbO1X for <kitten@ietfa.amsl.com>; Mon, 8 Nov 2021 06:17:36 -0800 (PST)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id AAC6D3A0CDD for <kitten@ietf.org>; Mon, 8 Nov 2021 06:17:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1636381049; d=isode.com; s=june2016; i=@isode.com; bh=ZornpzhQj06zg1vAvehewHS+oVUF3L/6+99csSoiUDs=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=tiOXts9QlDHJibd2rfy1dS9+J/WPUNuZuk6w2HqpqIv+jbWBSmlDeqk1Cyx75Pbq42P5wR zSEvjI9wPnP/XAv0KGyy0dr7kRjdu7+w07GLTqi9aZGN1v8Oj7EUfxNFsTn9pVRWFYndEm xmourj8QQfExkmVZxW+KkQW2selTJIU=;
Received: from [192.168.1.222] (host5-81-100-95.range5-81.btcentralplus.com [5.81.100.95]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <YYkxeAAF4lH3@waldorf.isode.com>; Mon, 8 Nov 2021 14:17:28 +0000
To: Dave Cridland <dave@cridland.net>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Robbie Harwood <rharwood@redhat.com>
References: <4a14c16b-644f-ac40-7b3a-a1712c9aa3d2@isode.com> <CAKHUCzwUZJOi0KsSYcyVjHHQkc8EaRHT6=59UhXc2EWDTUi00w@mail.gmail.com> <dc5a6e3f-6024-0578-e417-7ebe589ccd3b@isode.com> <CAKHUCzwAV+gSX9dSTGM-W_NetPduGN9JRBU_+JPCJ3QoUTagjA@mail.gmail.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <9ad610e1-8802-dc15-7154-0cb7954ec6ec@isode.com>
Date: Mon, 08 Nov 2021 14:17:19 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
In-Reply-To: <CAKHUCzwAV+gSX9dSTGM-W_NetPduGN9JRBU_+JPCJ3QoUTagjA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/3WdfAwsYAjw12DbaAALUFoLq7sc>
Subject: Re: [kitten] Requesting WG adoption of several SCRAM related documents
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 14:17:48 -0000
Hi Dave, On 05/11/2021 17:08, Dave Cridland wrote: > Hi Alexey, > > On Fri, 5 Nov 2021 at 15:50, Alexey Melnikov <alexey.melnikov@isode.com> wrote: >> Dave, >> >> On 05/11/2021 15:41, Dave Cridland wrote: >>> The obvious downside of the approach we took is that it requires >>> changes to the SASL profiles of the application protocols - this is >>> certainly undesirable. >> I like your approach of stacking mechanisms, but I fear this is going to >> be a multi-year approach to implement and deploy. >> >> So yes, happy to work on this as well, but I am not happy to not work on >> simpler/quicker ways to deploy 2FA with SCRAM that can be done in a >> couple of months time. >> > OK, and I understand your motive for something rapidly deployable - > but what about encapsulating the XEP-0388 SASL flow within another > mechanism? > > This would mean a mechanism where the messages were: > > Client Send First: username, optional wrapped-mechname, optional > client-send-first for wrapped-mechanism > Server: wrapped-mechname, wrapped-exchange OR mechanisms-list > Client: ... > Server: ... > Client: ... > Server: success, optional success-data OR failure OR continue, > optional success-data, task list I was thinking about implementation and testing costs of something like this. I am not saying this is not the right long term (or medium term) solution, but this is definitely more work than adding 2FA directly to SCRAM... I suppose I need to play with this (once I see an ID) and see how much work this is going to be. > [etc] > > That would mean you could wrap SCRAM within it and where TOTP was > required by the server, it could force that and the UX flow would be > as expected - thus functionally equivalent to your design but also > more or less as easy to deploy (in as much as it could be written as a > Cyrus SASL mechanism plugin I think - one that itself would then make > mechanism calls). > > But it would also be equivalent in terms of SASL itself to XEP-0388, > thus allowing TOTP to be used with PLAIN, and HOTP or even SMS codes > to be used in lieu of TOTP (in principle). > > The only real change from yours is that there's an additional RTT > involved for TOTP, but that's irrelevant when the user is having to > fumble about for their phone anyway. > > If you're interested in exploring further I'm happy to describe this > approach more formally (ie, put together an I-D). The answer to this is pretty much always "yes" :-). So yes, please write it as an ID. Best Regards, Alexey >>> It could be side-stepped by providing a >>> meta-mechanism, which in turn handled the enhanced exchange >>> internally, but this is very much a compatibility layer and (I >>> suspect) less efficient. In any case, XEP-0388 provides a better >>> profile for XMPP for various unrelated reasons. >> Best Regards, >> >> Alexey >>
- [kitten] Requesting WG adoption of several SCRAM … Alexey Melnikov
- Re: [kitten] Requesting WG adoption of several SC… Sam Whited
- Re: [kitten] Requesting WG adoption of several SC… Simon Josefsson
- Re: [kitten] Requesting WG adoption of several SC… Ruslan N. Marchenko
- Re: [kitten] Requesting WG adoption of several SC… Alexey Melnikov
- Re: [kitten] Requesting WG adoption of several SC… Robbie Harwood
- Re: [kitten] Requesting WG adoption of several SC… Simon Josefsson
- Re: [kitten] Requesting WG adoption of several SC… Sam Whited
- Re: [kitten] Requesting WG adoption of several SC… Alexey Melnikov
- Re: [kitten] Requesting WG adoption of several SC… Dave Cridland
- Re: [kitten] Requesting WG adoption of several SC… Alexey Melnikov
- Re: [kitten] Requesting WG adoption of several SC… Dave Cridland
- Re: [kitten] Requesting WG adoption of several SC… Alexey Melnikov
- Re: [kitten] Requesting WG adoption of several SC… Robbie Harwood
- Re: [kitten] Requesting WG adoption of several SC… Ruslan N. Marchenko
- Re: [kitten] Requesting WG adoption of several SC… Dave Cridland