[kitten] [Technical Errata Reported] RFC6616 (7074)
RFC Errata System <rfc-editor@rfc-editor.org> Sat, 06 August 2022 13:26 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB3F0C157B3A for <kitten@ietfa.amsl.com>; Sat, 6 Aug 2022 06:26:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.66
X-Spam-Level:
X-Spam-Status: No, score=-1.66 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.248, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zgsfBop6ysC2 for <kitten@ietfa.amsl.com>; Sat, 6 Aug 2022 06:26:12 -0700 (PDT)
Received: from rfcpa.amsl.com (rfc-editor.org [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC2E6C157B32 for <kitten@ietf.org>; Sat, 6 Aug 2022 06:26:12 -0700 (PDT)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id AFB8C119FC; Sat, 6 Aug 2022 06:26:12 -0700 (PDT)
To: lear@cisco.com, Hannes.Tschofenig@gmx.net, hmauldin@cisco.com, simon@josefsson.org, rdd@cert.org, paul.wouters@aiven.io, alexey.melnikov@isode.com
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: me@dequbed.space, kitten@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20220806132612.AFB8C119FC@rfcpa.amsl.com>
Date: Sat, 06 Aug 2022 06:26:12 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/L2lIp8RybULsKZXWxS7uKXELHj8>
Subject: [kitten] [Technical Errata Reported] RFC6616 (7074)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Aug 2022 13:26:16 -0000
The following errata report has been submitted for RFC6616, "A Simple Authentication and Security Layer (SASL) and Generic Security Service Application Program Interface (GSS-API) Mechanism for OpenID". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid7074 -------------------------------------- Type: Technical Reported by: Nadja Reitzenstein <me@dequbed.space> Section: 2.1 Original Text ------------- The nonce value MUST be at least 2^32 bits and large enough to handle well in excess of the number of concurrent transactions a SASL server shall see. Corrected Text -------------- The nonce value MUST be at least 32 bits and large enough to handle well in excess of the number of concurrent transactions a SASL server shall see. Notes ----- A nonce of 512MiB is rather excessive to be generated for every authenticating client. As this nonce also has to be transported within the URI sent to both the SASL client and called by the OIDC IdP the Note in section 3.2.1 of RFC 2616 seems to apply: "Servers ought to be cautious about depending on URI lengths above 255 bytes, because some older client or proxy implementations might not properly support these lengths." A lower bound requirement of 32 bits for the nonce seems more appropiate; most platforms are able to efficiently handle 32-bit integers and is still likely to prevent a brute-force attack given the HTTP request overhead. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC6616 (draft-ietf-kitten-sasl-openid-08) -------------------------------------- Title : A Simple Authentication and Security Layer (SASL) and Generic Security Service Application Program Interface (GSS-API) Mechanism for OpenID Publication Date : May 2012 Author(s) : E. Lear, H. Tschofenig, H. Mauldin, S. Josefsson Category : PROPOSED STANDARD Source : Common Authentication Technology Next Generation Area : Security Stream : IETF Verifying Party : IESG
- [kitten] [Technical Errata Reported] RFC6616 (707… RFC Errata System
- Re: [kitten] [Technical Errata Reported] RFC6616 … Simon Josefsson