Re: [kitten] Request for review of a SASL mechanism using the OPAQUE aPAKE
Alexey Melnikov <alexey.melnikov@isode.com> Mon, 14 November 2022 17:14 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25A04C14F723 for <kitten@ietfa.amsl.com>; Mon, 14 Nov 2022 09:14:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cG1VAAfbYNoe for <kitten@ietfa.amsl.com>; Mon, 14 Nov 2022 09:14:24 -0800 (PST)
Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id 3B588C14F73E for <kitten@ietf.org>; Mon, 14 Nov 2022 09:14:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1668446063; d=isode.com; s=june2016; i=@isode.com; bh=3WOgNowy4VgK1RO3eSzXFukS99K2PeEEPN9kFzl3bss=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=dUfAQpcIvEPhmzri1C6GVGJhEKYjpA7biM/2jpkFl83w4mRC8OSmE8Ju/hm7wr6XFgDpbr mVM+K8gCu7CqKLS/SJyt2FIVvC3Z8vTYLgaGfnU0Gtp1gN9icO4q5yutv41Xi/cfJJQuo7 XyIYHyRf0Z+SlJY83xOX4yccA3+d67s=;
Received: from [192.168.1.222] (host31-49-219-122.range31-49.btcentralplus.com [31.49.219.122]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <Y3J3bgBWDFsJ@statler.isode.com>; Mon, 14 Nov 2022 17:14:23 +0000
Message-ID: <f8af0c9e-2d69-2067-83e6-cad9bcbde2bd@isode.com>
Date: Mon, 14 Nov 2022 17:14:16 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.13.1
To: Nadja von Reitzenstein Cerpnjak <me@dequbed.space>, kitten@ietf.org
References: <e5a00d86-48a1-d602-0ee8-8cb80c06f826@dequbed.space>
From: Alexey Melnikov <alexey.melnikov@isode.com>
In-Reply-To: <e5a00d86-48a1-d602-0ee8-8cb80c06f826@dequbed.space>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------6SwRNXwGxWFJugY0lwzDOyIX"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/8R42rAeEbfKQg8wYRrRPh1tpAd4>
Subject: Re: [kitten] Request for review of a SASL mechanism using the OPAQUE aPAKE
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2022 17:14:28 -0000
Hi Nadja, Thank you for your draft. I read it and overall it looks good, other than missing specific parameters in Section 7. Also some specific comments: > 6.1. Default Channel Binding > > 'tls-exporter' is the default channel binding type for any > application that do not specify one. > > Servers MUST implement the 'tls-exporter' [RFC9266] channel binding > type if they implement any channel binding and use TLS. Clients > SHOULD implement the 'tls-exporter' [RFC9266] channel binding type if > they implement any and use TLS. > > Servers MUST use the channel binding type indicated by the client, or > fail authentication if they do not support it. In order to maximize interoperability I suggest you also mention tls-unique for TLS 1.2, unless your exlusion of TLS 1.2 is deliberate? In the latter case your draft should say that. In Section 8: > client-first-message-bare = > [reserved-mext ","] username "," auth-request > ["," extensions] "auth-request" is not defined. > > client-first-message = gs2-header client-first-message-bare > > validator = "v=" base64 > > server-message-bare = > [reserved-mext ","] channel-binding "," ksf-params "," > credentials-response ["," extensions] "ksf-params" and "credentials-response" are not defined. Best Regards, Alexey
- [kitten] Request for review of a SASL mechanism u… Nadja von Reitzenstein Cerpnjak
- Re: [kitten] Request for review of a SASL mechani… Simon Josefsson
- Re: [kitten] Request for review of a SASL mechani… Dave Cridland
- Re: [kitten] Request for review of a SASL mechani… Florian Schmaus
- Re: [kitten] Request for review of a SASL mechani… Rick van Rein
- Re: [kitten] Request for review of a SASL mechani… Rick van Rein
- Re: [kitten] Request for review of a SASL mechani… Nadja von Reitzenstein Cerpnjak
- Re: [kitten] Request for review of a SASL mechani… Nadja von Reitzenstein Cerpnjak
- Re: [kitten] Request for review of a SASL mechani… Rick van Rein
- Re: [kitten] Request for review of a SASL mechani… Dave Cridland
- Re: [kitten] Request for review of a SASL mechani… Nadja von Reitzenstein Cerpnjak
- Re: [kitten] Request for review of a SASL mechani… Rick van Rein
- Re: [kitten] Request for review of a SASL mechani… Alexey Melnikov