IETF Logo Mail Archive

Re: [kitten] Comments on draft-ietf-kitten-password-storage-04

Sam Whited <sam@samwhited.com> Thu, 01 April 2021 21:03 UTC

Return-Path: <sam@samwhited.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46A263A2357 for <kitten@ietfa.amsl.com>; Thu, 1 Apr 2021 14:03:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=samwhited.com header.b=UZ951ooc; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=qfs9f9Wm
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bEtDXVlZmxGb for <kitten@ietfa.amsl.com>; Thu, 1 Apr 2021 14:03:11 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C37E3A2355 for <kitten@ietf.org>; Thu, 1 Apr 2021 14:03:11 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 7DA2A5C007E; Thu, 1 Apr 2021 17:03:09 -0400 (EDT)
Received: from imap34 ([10.202.2.84]) by compute4.internal (MEProxy); Thu, 01 Apr 2021 17:03:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samwhited.com; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type:content-transfer-encoding; s=fm2; bh=AW eyQ5KsBf+eXQo/+CAzTOe01jrrQiyfE8fs0srzQaw=; b=UZ951oocd6l2rzEwOR XhJ+wL6Wil1CAiKhe6crEmK4evd1K0jcwXZs295ZR5LkBsweX3MYTKn/VMXM+U61 uC8ZtabeZqS6RW/QZxBHtGXnB7oiW7HDwrVC1AplahpYP2emGjqJuwjDtljZ1aHP iyS/wHm7/4NJtJKeOy8tGEHq8OqNzJXrBmeMOokKfMEvaZSEM1XtqVdmLw9oJ2/G 0Hx0T956Drx0GJUWmbt+ezDVrCUR5QfJ8x91IHtjy5u1vb7ME9vAwA+usYgqQikt gkfixbAerzcmo4NebZ9YYqMT7NnASnQtiuCS/9e4I9GO2sKdz00RCsb/0bUz2GYR payA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=AWeyQ5KsBf+eXQo/+CAzTOe01jrrQiyfE8fs0srzQ aw=; b=qfs9f9WmY5hfDybZ3nhG2KV+C+NYjNn1QAquQCaSt7JMvTOyX14TXkP86 DaWBwmnQabuN6SFh9gcNXXO6BlSV0cH7tYtP3qSM6pvpyiapFkIrt9qF5Gc/UO09 YnSNyq/7YBd6T8/pBcvhVZ36Ii3B+8uWjkAwBLdlYsIYckcUyRdHL0HoGZYbM0/w NQfvvUKKF65hsX59Hp0Rzy15BFtM3QIYdAc5gQUb2wVLbFkv/hPuVUJPkRGBnlwo 1gMbdsuE62w9upmuwDoncei1iYUGWIlNV09v7fSLbxWyIAXoS6W/r9It9p8AIqXO BjTXEQwJDI9e9Z+ex6xSdt+WcyoMg==
X-ME-Sender: <xms:DTVmYKfr962kJHq-zqqbsIoSsT6k6rFnop7nlne8AN2QN_h3_qjx_A> <xme:DTVmYEN8MSgTJetda0y6jHlTEACvpjKouhHb-0FuqEhG6wvjRBAN3bUwHIPGR9fkf YNXBMZMPOhotHJolw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudeigedgudegjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdfu rghmucghhhhithgvugdfuceoshgrmhesshgrmhifhhhithgvugdrtghomheqnecuggftrf grthhtvghrnhepvdffuedvudfhfedvieehueekfffhkeejvefggfegtdelhffhhfeiveek udevhfejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epshgrmhesshgrmhifhhhithgvugdrtghomh
X-ME-Proxy: <xmx:DTVmYLhy2jFbVjePHEhmgvAmEfyvaPlEEVcWkDO-KWc_u1H7cOavsw> <xmx:DTVmYH-UlxMv6eaOhRBIPXd8TIZHywJ797V0axV8-n2v4J5Vl6hrZg> <xmx:DTVmYGsYTMrJIFIWWyc9jfMVa1ISKqi4lBEG8O1eYTJMbJtvK0hT3w> <xmx:DTVmYH7UAe1rWPJT1OPdKrP9TaeUx0D5QRww_PCy0c1EINWs9aV-5Q>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id D03EB280074; Thu, 1 Apr 2021 17:03:08 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-273-g8500d2492d-fm-20210323.002-g8500d249
Mime-Version: 1.0
Message-Id: <b72c8211-07ce-467c-9476-faa0354736a1@www.fastmail.com>
In-Reply-To: <E4D53992-EFFD-4938-8427-D276B5A0A178@bluepopcorn.net>
References: <E4D53992-EFFD-4938-8427-D276B5A0A178@bluepopcorn.net>
Date: Thu, 01 Apr 2021 17:02:48 -0400
From: "Sam Whited" <sam@samwhited.com>
To: "Jim Fenton" <fenton@bluepopcorn.net>
Cc: "KITTEN Working Group" <kitten@ietf.org>
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/4FJ2jTApk2ouF0GLRToxit3OHA4>
Subject: Re: [kitten] Comments on draft-ietf-kitten-password-storage-04
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 21:03:16 -0000

Thank you for your feedback! I think I have addressed all of these
issues (and will upload a new version soon) except for:

On Sat, Mar 20, 2021, at 20:31, Jim Fenton wrote:
> 4.1: I’m concerned that the MUST NOT here conflicts with the SHOULD
>      NOT regarding OBSOLETE and LIMITED mechanisms in Section 2. Of
>      course, MD5 is not an SASL mechanism per se, and “support any
>      mechanism” in this context may not necessarily mean an SASL
>      mechanism, but I still found this vaguely confusing.

I thought of this as just further refining the guidance from section 2.
You SHOULD NOT use anything from a specific list, and MUST NOT use
anything that meets these criteria (which may include things that are on
the list and things that aren't). However, perhapse the SHOULD NOT in
section 2 should become a MUST NOT? Re-reading it I'm not sure why I put
SHOULD NOT there.

> 5.2: Bcrypt is no longer the current (top) OWASP recommendation.

Interestingly, I had argon2id as the top recommendation in an
earlier draft of this document then they changed it back to bcrypt.
I'll swap it back.

> 7: Suggest saying something about Unicode characters and password
>    length

Good idea. I updated this to suggest counting grapheme clusters,
which I believe is going to be better than counting scalar values,
but I'm not sure that it's ideal either. Many languages probably
don't have an implementation of the segmentation algorithm, and it
adds a lot of complexity to calculating password lengths. Other
suggestions welcome. Because of the uncertainty I did not use any
normative language here for now.

I also couldn't find an existing reference for Unicode Standard Annex
reports. Is there a bibliography somewhere that includes these which I
could reference instead of making up a new ref?

—Sam


-- 
Sam Whited

v2.8.7 | Report a Bug | By Email