IETF Logo Mail Archive

Re: [kitten] Requesting WG adoption of several SCRAM related documents

Sam Whited <sam@samwhited.com> Thu, 04 November 2021 12:06 UTC

Return-Path: <sam@samwhited.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3387D3A108F for <kitten@ietfa.amsl.com>; Thu, 4 Nov 2021 05:06:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=samwhited.com header.b=F70jrso6; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=RujUvWkS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FuAAzO7v_WXJ for <kitten@ietfa.amsl.com>; Thu, 4 Nov 2021 05:06:32 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9508E3A1085 for <kitten@ietf.org>; Thu, 4 Nov 2021 05:06:32 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 9C44B5C0102 for <kitten@ietf.org>; Thu, 4 Nov 2021 08:06:31 -0400 (EDT)
Received: from imap42 ([10.202.2.92]) by compute6.internal (MEProxy); Thu, 04 Nov 2021 08:06:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samwhited.com; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm1; bh=gQ8Y+ iAe0RmR3ebclha2nKBqGdjyP0UlBkyUdrwNxHg=; b=F70jrso6+M74SPSGZRqkC KWIeuVQa/X9mKZlhJTp8ozjkUnP8qOVXh7VMieV1roeU7WI7sK/fRYDWrv/n1l1k h02DAWgGdUmTNiXovM60Cuw3kw7cGgMks1AJFwMVEPS5ERp3p7z0acT57IHw7P/K eywHeMGn4fZiMZ1x2dBa0SZ4JJjyaLs1mmVPDeHyWgp3n+GuwzQh8LAyYggbfiQP 3utCN3LTpVzvWsK1GjgRDw4A+SO5va4bEM8rVXEZQTgEjphEyhSU8nfPmNkw0JI4 X45NUaZ3UWOO3ZYlMO7XyBXuXtA5BbwyFckTGMjzK6Pu1DsL1s68VRKAnb5OE4n8 Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=gQ8Y+iAe0RmR3ebclha2nKBqGdjyP0UlBkyUdrwNx Hg=; b=RujUvWkSKzOzczolrrt9NVkva7phNelrjA5PZidXpm2A8g0of4V1drJTp w5YVjkQ/le34xEsS+xpYvfBa3P9pfmPsRVyY8k4YJjXW7e1rwzPyaRjlut7lHQT2 jhkLlwBqEfJHd7yvlb9YeycO3CycLI54RWVo6M9vWZviACJIh3JxoXyc6ft3vzST CWsHohJQ/gzmSzfVrgF0cmv1rUMQj61laRBQbpvBgoipRUxiTwn/a4zKoWpEXMAa Iv3V3hj4qdtHG49+HPPduivpVLc4siC4UdPRBhJ7l5yT3U7om7l4K8ewvGbM439x 30xy1SO24ldmuKFDrynJRuSwGopTw==
X-ME-Sender: <xms:x8yDYaIUVHsoW9UzgJI85Raf5XlLi0Gk4Nc_LMLwLjXVs3T62d62Gg> <xme:x8yDYSJxpNbc_iQfxQPclpTVaK4gs27ghCubRQ-5LmA1z4xA_P4_a1tVmICooJBM- 0wGg7uUA7Azuo8bbQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrtdeggdefudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdfurghm ucghhhhithgvugdfuceoshgrmhesshgrmhifhhhithgvugdrtghomheqnecuggftrfgrth htvghrnhepfeduudekkeeuteeuleefgeeuvdeuvdffhedvveeiffeghefhjefftdevveeu vdffnecuffhomhgrihhnpehivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpehsrghmsehsrghmfihhihhtvggurdgtohhm
X-ME-Proxy: <xmx:x8yDYasPYeDufkHDTSEHKxdJYQ8sIAHs9jP3fTSqT3BWYWtkxzBeUQ> <xmx:x8yDYfa57r3VPddvixfWzvcjUhdbFT5jYxLKk2Ew59LzuXFng8QvXA> <xmx:x8yDYRb2w1jSdWQZi8BU7TZj21265pG-BNtbjraFICq4Io7kF-im4A> <xmx:x8yDYamxYUSPp_dsgOiMF1kTreTHxeo8f-JeieB4JCkrRohHkR1FKQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 630C12180078; Thu, 4 Nov 2021 08:06:31 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-1369-gd055fb5e7c-fm-20211018.002-gd055fb5e
Mime-Version: 1.0
Message-Id: <72bf2b21-86db-4975-ab8f-b367d863f1f0@www.fastmail.com>
In-Reply-To: <139AC3E2-92B1-433A-A8AE-28C7DECFB619@josefsson.org>
References: <jlgpmrhi189.fsf@redhat.com> <139AC3E2-92B1-433A-A8AE-28C7DECFB619@josefsson.org>
Date: Thu, 04 Nov 2021 08:06:11 -0400
From: "Sam Whited" <sam@samwhited.com>
To: "KITTEN Working Group" <kitten@ietf.org>
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/E07ARSH4LZp68QWUUEsp9HOhyaI>
Subject: Re: [kitten] Requesting WG adoption of several SCRAM related documents
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Nov 2021 12:06:37 -0000

Having reconsidered this in light of some of these comments, I think I
agree in terms of SCRAM-SHA-512 and SCRAM-SHA3. While I'm certainly not
*against* publishing these mechanisms (as I mentioned, I have
implemented them and used them already in some places) I do think SCRAM-SHA-
256, for example, is likely strong enough for now. It doesn't show any
signs of weakness, so we might want to focus on a mechanism that has its
own hash/CB negotiation instead and is extensible enough to add 2FA
later (or whatever other requirements this group comes up with: better
hash agility comes to mind). I suppose I've changed to being neutral on
publishing the new SCRAM mechanisms.

As for the 2FA document I think that represents something that's missing
from *current* mechanisms and should likely move forward. If we were to
focus on new mechanisms that could implement 2FA I think we'd be doing a
disservice to existing SASL/SCRAM users who may not be able to evaluate
and update to a new mechanism, but may be able to add 2FA to their
existing setup more quickly.

—Sam

On Wed, Nov 3, 2021, at 16:31, Simon Josefsson wrote:
> 3 nov. 2021 kl. 17:43 skrev Robbie Harwood <rharwood@redhat.com>om>:
>>
>> Simon Josefsson <simon@josefsson.org> writes:
>>
>>> Hi.  I'm not strongly opposed to these work items, but I do feel
>>> publishing these documents without adressing high-level concerns
>>> have a risk of causing problems during deployment.  I think the WG
>>> should understand and consider the implication before adopting the
>>> documents
>>> - maybe there is alternative work that needs to happen
>>>   before/instead.
>>
>> Hi Simon, do you have any further thoughts on this in light of
>> Ruslan's and Alexey's comments in reply?
>
> No.  I agree with what the replies, and haven’t changed my opinion.
> I’d rather see work on addressing the problems that were brought
> up, or stronger mechanisms, instead. But things aren’t a zero-sum
> game, so if enough people wants these drafts published, that’s what
> will happen.
>
> /Simon
> _______________________________________________
> Kitten mailing list Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten

-- 
Sam Whited

v2.8.7 | Report a Bug | By Email