Re: [kitten] Requesting WG adoption of several SCRAM related documents
Dave Cridland <dave@cridland.net> Fri, 05 November 2021 17:08 UTC
Return-Path: <dave@cridland.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id F04483A125C
for <kitten@ietfa.amsl.com>; Fri, 5 Nov 2021 10:08:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id EWiE263D99C8 for <kitten@ietfa.amsl.com>;
Fri, 5 Nov 2021 10:08:15 -0700 (PDT)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com
[IPv6:2a00:1450:4864:20::335])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 2F4D13A1256
for <kitten@ietf.org>; Fri, 5 Nov 2021 10:08:15 -0700 (PDT)
Received: by mail-wm1-x335.google.com with SMTP id
67-20020a1c1946000000b0030d4c90fa87so6903926wmz.2
for <kitten@ietf.org>; Fri, 05 Nov 2021 10:08:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=nS1/wYygz/X4KpSKKzfa5qOOUmPtgEi386TwUw2yuFU=;
b=VgcjanbTrFF6ezjDnTwa/7iT3AqEudiL62wWW/QqBKvgHP7rwzy+YAef40W27uWjl/
5q1KHB5zKhQgxiSJN512zomlDXxnB5qRoTuINzdttBXrWW82jtlmLrerCDYGjn3QB/N/
rSZCBybOHvhLVyqZSBZRQf8AE5vU4Q0I5aUoA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=nS1/wYygz/X4KpSKKzfa5qOOUmPtgEi386TwUw2yuFU=;
b=U3YPfKn2anhGvVDBENQ03xPwCWyfPeDA9h97Cjr8ufh9dWljv8SuKBJq9PhNO1FfCZ
WNNkjfPvAV30LEhs0fXqf7ERIOG5xx9qbCoM5vvwsgV/qHzg8Ws9aUPww6U65CyysTQy
Wlg0/7UBYrmIGrJOVIfo63VytLyy51hPRXq711NlWDFskkZG9Vjvu3DJV7QDh6FedLOj
UXPM0P/sMRqyEfbKNkAS+vIHrv76/mWk+wJZGSqFdB+Kk9E+WGJk21pTDUyBR19f5vQV
ofxz2TTeh4/5J+N3D/mPjRZOFe4z0Dzhvt41hPYvSjWJwTpNi0VV1oDWcvZEb4L+qJ8+
aKfg==
X-Gm-Message-State: AOAM531OqzyBBffy8FulT5TN6xRz6XayZ0R0oXCyImrkIYaufM4rsjtD
659d0BxFHe8auWlwqaOAxcka/f2EopgyR0CkAOBXs2sxa3o=
X-Google-Smtp-Source: ABdhPJyB46UW1k+m66/tc4ZWyvHbBfN5mRjSUiGD9XgRv9Tbgoq/vxZWDION6arVK5YhJfxt6og11tuCLVLXmh2HHzg=
X-Received: by 2002:a05:600c:b46:: with SMTP id
k6mr11608497wmr.45.1636132092243;
Fri, 05 Nov 2021 10:08:12 -0700 (PDT)
MIME-Version: 1.0
References: <4a14c16b-644f-ac40-7b3a-a1712c9aa3d2@isode.com>
<CAKHUCzwUZJOi0KsSYcyVjHHQkc8EaRHT6=59UhXc2EWDTUi00w@mail.gmail.com>
<dc5a6e3f-6024-0578-e417-7ebe589ccd3b@isode.com>
In-Reply-To: <dc5a6e3f-6024-0578-e417-7ebe589ccd3b@isode.com>
From: Dave Cridland <dave@cridland.net>
Date: Fri, 5 Nov 2021 17:08:01 +0000
Message-ID: <CAKHUCzwAV+gSX9dSTGM-W_NetPduGN9JRBU_+JPCJ3QoUTagjA@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Robbie Harwood <rharwood@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/COzPB_49jiYBsXNPtZLRYsompDA>
Subject: Re: [kitten] Requesting WG adoption of several SCRAM related
documents
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>,
<mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>,
<mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Nov 2021 17:08:20 -0000
Hi Alexey, On Fri, 5 Nov 2021 at 15:50, Alexey Melnikov <alexey.melnikov@isode.com> wrote: > > Dave, > > On 05/11/2021 15:41, Dave Cridland wrote: > > The obvious downside of the approach we took is that it requires > > changes to the SASL profiles of the application protocols - this is > > certainly undesirable. > > I like your approach of stacking mechanisms, but I fear this is going to > be a multi-year approach to implement and deploy. > > So yes, happy to work on this as well, but I am not happy to not work on > simpler/quicker ways to deploy 2FA with SCRAM that can be done in a > couple of months time. > OK, and I understand your motive for something rapidly deployable - but what about encapsulating the XEP-0388 SASL flow within another mechanism? This would mean a mechanism where the messages were: Client Send First: username, optional wrapped-mechname, optional client-send-first for wrapped-mechanism Server: wrapped-mechname, wrapped-exchange OR mechanisms-list Client: ... Server: ... Client: ... Server: success, optional success-data OR failure OR continue, optional success-data, task list [etc] That would mean you could wrap SCRAM within it and where TOTP was required by the server, it could force that and the UX flow would be as expected - thus functionally equivalent to your design but also more or less as easy to deploy (in as much as it could be written as a Cyrus SASL mechanism plugin I think - one that itself would then make mechanism calls). But it would also be equivalent in terms of SASL itself to XEP-0388, thus allowing TOTP to be used with PLAIN, and HOTP or even SMS codes to be used in lieu of TOTP (in principle). The only real change from yours is that there's an additional RTT involved for TOTP, but that's irrelevant when the user is having to fumble about for their phone anyway. If you're interested in exploring further I'm happy to describe this approach more formally (ie, put together an I-D). > > It could be side-stepped by providing a > > meta-mechanism, which in turn handled the enhanced exchange > > internally, but this is very much a compatibility layer and (I > > suspect) less efficient. In any case, XEP-0388 provides a better > > profile for XMPP for various unrelated reasons. > > Best Regards, > > Alexey >
- [kitten] Requesting WG adoption of several SCRAM … Alexey Melnikov
- Re: [kitten] Requesting WG adoption of several SC… Sam Whited
- Re: [kitten] Requesting WG adoption of several SC… Simon Josefsson
- Re: [kitten] Requesting WG adoption of several SC… Ruslan N. Marchenko
- Re: [kitten] Requesting WG adoption of several SC… Alexey Melnikov
- Re: [kitten] Requesting WG adoption of several SC… Robbie Harwood
- Re: [kitten] Requesting WG adoption of several SC… Simon Josefsson
- Re: [kitten] Requesting WG adoption of several SC… Sam Whited
- Re: [kitten] Requesting WG adoption of several SC… Alexey Melnikov
- Re: [kitten] Requesting WG adoption of several SC… Dave Cridland
- Re: [kitten] Requesting WG adoption of several SC… Alexey Melnikov
- Re: [kitten] Requesting WG adoption of several SC… Dave Cridland
- Re: [kitten] Requesting WG adoption of several SC… Alexey Melnikov
- Re: [kitten] Requesting WG adoption of several SC… Robbie Harwood
- Re: [kitten] Requesting WG adoption of several SC… Ruslan N. Marchenko
- Re: [kitten] Requesting WG adoption of several SC… Dave Cridland