Re: [kitten] Requesting WG adoption of several SCRAM related documents
Alexey Melnikov <alexey.melnikov@isode.com> Wed, 27 October 2021 11:13 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C20A73A0E84 for <kitten@ietfa.amsl.com>; Wed, 27 Oct 2021 04:13:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.429
X-Spam-Level:
X-Spam-Status: No, score=-5.429 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-3.33, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lXGmjuW91jVZ for <kitten@ietfa.amsl.com>; Wed, 27 Oct 2021 04:13:49 -0700 (PDT)
Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id B09C13A0E82 for <kitten@ietf.org>; Wed, 27 Oct 2021 04:13:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1635333227; d=isode.com; s=june2016; i=@isode.com; bh=2dzCQGChGAgcTQfaH1efftlMBcY9uvuFW5J/fuH6cQY=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=hsYKVBFwwX/zGKFN+9t96Rz3yBdC8Ho+H0oatUFdWKDKS0l3lUX4c3/ma/XISoW2qyG27D FkZkNXZ+M90x6RRgLNYWZAY2x9urPUhxnPAKDr19TG3t4U78J5xOyEwG1Jl+XqIrw4vBlL jKu/Zxy8QGyL/IxlAzm3XWcWx6sCWhE=;
Received: from [192.168.1.222] (host5-81-100-13.range5-81.btcentralplus.com [5.81.100.13]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <YXk0agALZIYM@statler.isode.com>; Wed, 27 Oct 2021 12:13:46 +0100
To: Simon Josefsson <simon@josefsson.org>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Robbie Harwood <rharwood@redhat.com>
References: <4a14c16b-644f-ac40-7b3a-a1712c9aa3d2@isode.com> <87ilxjo6e1.fsf@latte.josefsson.org>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <86d03520-467c-42c8-4969-e2b306804eae@isode.com>
Date: Wed, 27 Oct 2021 12:13:35 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
In-Reply-To: <87ilxjo6e1.fsf@latte.josefsson.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/5-esVLc7u2APoia1psnp7RKjVU0>
Subject: Re: [kitten] Requesting WG adoption of several SCRAM related documents
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2021 11:13:55 -0000
Hi Simon, On 26/10/2021 21:52, Simon Josefsson wrote: > Hi. I'm not strongly opposed to these work items, but I do feel > publishing these documents without adressing high-level concerns have a > risk of causing problems during deployment. I think the WG should > understand and consider the implication before adopting the documents - > maybe there is alternative work that needs to happen before/instead. > > 1) For SCRAM-2FA how is user interaction supposed to work for > applications that open many connections? This is the problem that > turned out to kill deployment of SAML20 and OPENID20 for typical > environments. I think this is a serious problem for any SASL mechanisms > that works with non-long-term secrets, and I think we should ponder if > there is some generic mechanism (like SASL re-authentication or > authentication resumption) that needs to be standardized. Otherwise I > think SCRAM-2FA will end up in the same way, and cause people to do a > lot of work to try to implement it and run into the same problems. Very good point. I think Dave Cridland had a proposal for a generic SASL resumption mechanism <https://www.ietf.org/archive/id/draft-cridland-kitten-clientkey-00.txt> and I support adopting it to address this problem. > 2) Add new hashes for SCRAM causes complexity in applications to specify > and support multiple database entries for different > password-equivalents. This is not really a new thing, although multiple SCRAM mechanisms certainly made it worse. Some backends can store multiple values and some can't. > There is no real guidance on how clients and > servers should treat multiple hash variants and negotiation between > them. SASL does not handle sub-mechanism negotiation well, so it has a > security complexity cost. I wrote about some of this in > https://blog.josefsson.org/2021/06/08/whats-wrong-with-scram/ and at > least one problem is worth repeating: > > How to negotiate which variant to use is not well-defined. Consider if > the server only has access to a SCRAM-SHA-1 hashed password for user X > and a SCRAM-SHA-256 hashed password for user Y. What mechanisms should > it offer to an unknown client? Offering both is likely to cause > authentication failures, and the fall-back behaviour of SASL is poor. I think this is a generic SASL problem when there are different sets of users that use different SASL mechanism/credentials. (E.g. the same problem exists if some users have SCRAM-SHA-1 credential and some can only use EXTERNAL). This is also a quality of implementation issue. Many implementations can iterate through several SASL mechanisms until one of them succeeds. Anyway, I am happy to work on better advice for SASL implementors or some other way to help improve this. Best Regards, Alexey > /Simon > > Alexey Melnikov <alexey.melnikov@isode.com> writes: > >> Dear Kitten WG participants, >> >> I would like to request WG adoption of several SCRAM related documents: >> >> 1) Extensions to Salted Challenge Response (SCRAM) for 2 factor >> authentication >> <https://datatracker.ietf.org/doc/draft-melnikov-scram-2fa/> >> >> There were some earlier discussions of this document and it seems to >> be in scope for the current charter. >> >> 2) SCRAM-SHA-512 and SCRAM-SHA-512-PLUS Simple Authentication and >> Security Layer (SASL) Mechanisms >> <https://datatracker.ietf.org/doc/draft-melnikov-scram-sha-512/> >> >> This is already implemented in Cyrus SASL, so it would be good to have >> stable documentation. >> >> 3) SCRAM-SHA3-512 and SCRAM-SHA3-512-PLUS Simple Authentication and >> Security Layer (SASL) Mechanisms >> <https://datatracker.ietf.org/doc/draft-melnikov-scram-sha3-512/> >> >> Best Regards, >> >> Alexey >> >> P.S. As I am editing various documents mentioned in this email, my >> co-chair Robbie will judge consensus on adoption of each document. >>
- [kitten] Requesting WG adoption of several SCRAM … Alexey Melnikov
- Re: [kitten] Requesting WG adoption of several SC… Sam Whited
- Re: [kitten] Requesting WG adoption of several SC… Simon Josefsson
- Re: [kitten] Requesting WG adoption of several SC… Ruslan N. Marchenko
- Re: [kitten] Requesting WG adoption of several SC… Alexey Melnikov
- Re: [kitten] Requesting WG adoption of several SC… Robbie Harwood
- Re: [kitten] Requesting WG adoption of several SC… Simon Josefsson
- Re: [kitten] Requesting WG adoption of several SC… Sam Whited
- Re: [kitten] Requesting WG adoption of several SC… Alexey Melnikov
- Re: [kitten] Requesting WG adoption of several SC… Dave Cridland
- Re: [kitten] Requesting WG adoption of several SC… Alexey Melnikov
- Re: [kitten] Requesting WG adoption of several SC… Dave Cridland
- Re: [kitten] Requesting WG adoption of several SC… Alexey Melnikov
- Re: [kitten] Requesting WG adoption of several SC… Robbie Harwood
- Re: [kitten] Requesting WG adoption of several SC… Ruslan N. Marchenko
- Re: [kitten] Requesting WG adoption of several SC… Dave Cridland