Re: [kitten] Requesting WG adoption of several SCRAM related documents

Dave Cridland <dave@cridland.net> Fri, 05 November 2021 17:08 UTC

Return-Path: <dave@cridland.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F04483A125C for <kitten@ietfa.amsl.com>; Fri, 5 Nov 2021 10:08:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EWiE263D99C8 for <kitten@ietfa.amsl.com>; Fri, 5 Nov 2021 10:08:15 -0700 (PDT)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F4D13A1256 for <kitten@ietf.org>; Fri, 5 Nov 2021 10:08:15 -0700 (PDT)
Received: by mail-wm1-x335.google.com with SMTP id 67-20020a1c1946000000b0030d4c90fa87so6903926wmz.2 for <kitten@ietf.org>; Fri, 05 Nov 2021 10:08:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nS1/wYygz/X4KpSKKzfa5qOOUmPtgEi386TwUw2yuFU=; b=VgcjanbTrFF6ezjDnTwa/7iT3AqEudiL62wWW/QqBKvgHP7rwzy+YAef40W27uWjl/ 5q1KHB5zKhQgxiSJN512zomlDXxnB5qRoTuINzdttBXrWW82jtlmLrerCDYGjn3QB/N/ rSZCBybOHvhLVyqZSBZRQf8AE5vU4Q0I5aUoA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nS1/wYygz/X4KpSKKzfa5qOOUmPtgEi386TwUw2yuFU=; b=U3YPfKn2anhGvVDBENQ03xPwCWyfPeDA9h97Cjr8ufh9dWljv8SuKBJq9PhNO1FfCZ WNNkjfPvAV30LEhs0fXqf7ERIOG5xx9qbCoM5vvwsgV/qHzg8Ws9aUPww6U65CyysTQy Wlg0/7UBYrmIGrJOVIfo63VytLyy51hPRXq711NlWDFskkZG9Vjvu3DJV7QDh6FedLOj UXPM0P/sMRqyEfbKNkAS+vIHrv76/mWk+wJZGSqFdB+Kk9E+WGJk21pTDUyBR19f5vQV ofxz2TTeh4/5J+N3D/mPjRZOFe4z0Dzhvt41hPYvSjWJwTpNi0VV1oDWcvZEb4L+qJ8+ aKfg==
X-Gm-Message-State: AOAM531OqzyBBffy8FulT5TN6xRz6XayZ0R0oXCyImrkIYaufM4rsjtD 659d0BxFHe8auWlwqaOAxcka/f2EopgyR0CkAOBXs2sxa3o=
X-Google-Smtp-Source: ABdhPJyB46UW1k+m66/tc4ZWyvHbBfN5mRjSUiGD9XgRv9Tbgoq/vxZWDION6arVK5YhJfxt6og11tuCLVLXmh2HHzg=
X-Received: by 2002:a05:600c:b46:: with SMTP id k6mr11608497wmr.45.1636132092243; Fri, 05 Nov 2021 10:08:12 -0700 (PDT)
MIME-Version: 1.0
References: <4a14c16b-644f-ac40-7b3a-a1712c9aa3d2@isode.com> <CAKHUCzwUZJOi0KsSYcyVjHHQkc8EaRHT6=59UhXc2EWDTUi00w@mail.gmail.com> <dc5a6e3f-6024-0578-e417-7ebe589ccd3b@isode.com>
In-Reply-To: <dc5a6e3f-6024-0578-e417-7ebe589ccd3b@isode.com>
From: Dave Cridland <dave@cridland.net>
Date: Fri, 5 Nov 2021 17:08:01 +0000
Message-ID: <CAKHUCzwAV+gSX9dSTGM-W_NetPduGN9JRBU_+JPCJ3QoUTagjA@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Robbie Harwood <rharwood@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/COzPB_49jiYBsXNPtZLRYsompDA>
Subject: Re: [kitten] Requesting WG adoption of several SCRAM related documents
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Nov 2021 17:08:20 -0000

Hi Alexey,

On Fri, 5 Nov 2021 at 15:50, Alexey Melnikov <alexey.melnikov@isode.com> wrote:
>
> Dave,
>
> On 05/11/2021 15:41, Dave Cridland wrote:
> > The obvious downside of the approach we took is that it requires
> > changes to the SASL profiles of the application protocols - this is
> > certainly undesirable.
>
> I like your approach of stacking mechanisms, but I fear this is going to
> be a multi-year approach to implement and deploy.
>
> So yes, happy to work on this as well, but I am not happy to not work on
> simpler/quicker ways to deploy 2FA with SCRAM that can be done in a
> couple of months time.
>

OK, and I understand your motive for something rapidly deployable -
but what about encapsulating the XEP-0388 SASL flow within another
mechanism?

This would mean a mechanism where the messages were:

Client Send First: username, optional wrapped-mechname, optional
client-send-first for wrapped-mechanism
Server: wrapped-mechname, wrapped-exchange OR mechanisms-list
Client: ...
Server: ...
Client: ...
Server: success, optional success-data OR failure OR continue,
optional success-data, task list

[etc]

That would mean you could wrap SCRAM within it and where TOTP was
required by the server, it could force that and the UX flow would be
as expected - thus functionally equivalent to your design but also
more or less as easy to deploy (in as much as it could be written as a
Cyrus SASL mechanism plugin I think - one that itself would then make
mechanism calls).

But it would also be equivalent in terms of SASL itself to XEP-0388,
thus allowing TOTP to be used with PLAIN, and HOTP or even SMS codes
to be used in lieu of TOTP (in principle).

The only real change from yours is that there's an additional RTT
involved for TOTP, but that's irrelevant when the user is having to
fumble about for their phone anyway.

If you're interested in exploring further I'm happy to describe this
approach more formally (ie, put together an I-D).

> > It could be side-stepped by providing a
> > meta-mechanism, which in turn handled the enhanced exchange
> > internally, but this is very much a compatibility layer and (I
> > suspect) less efficient. In any case, XEP-0388 provides a better
> > profile for XMPP for various unrelated reasons.
>
> Best Regards,
>
> Alexey
>