IETF Logo Mail Archive

Re: [kitten] Comments on draft-ietf-kitten-password-storage-04

Jim Fenton <fenton@bluepopcorn.net> Tue, 06 April 2021 03:01 UTC

Return-Path: <fenton@bluepopcorn.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D12D3A0B3D for <kitten@ietfa.amsl.com>; Mon, 5 Apr 2021 20:01:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8PyYlrpcQ4ms for <kitten@ietfa.amsl.com>; Mon, 5 Apr 2021 20:01:38 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73AA63A0B3A for <kitten@ietf.org>; Mon, 5 Apr 2021 20:01:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bluepopcorn.net; s=supersize; h=Content-Transfer-Encoding:Content-Type: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=iWpBjBSqpqAAf+153awWVHbpAxidq9kdYGRe3t6hQ+A=; b=IXT/DArHBpUbpQNhEb8p5qDq5m r5WtKXm5WNVEvZ67GxpY/eTWgK0WldwKvUYejcS8KMi38C+CI1l+sUGwH3576DRgvb0Gs/SGO6q07 oQHycfz0Sx7wYYUpRd5xDNHcrpLljTk5znxx7zsCw9TqmjPZVX4mZUGouFIoZctaWBSU=;
Received: from [2601:647:4400:1261:497c:7f:4f0f:4593] (helo=[10.10.20.144]) by v2.bluepopcorn.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <fenton@bluepopcorn.net>) id 1lTbyC-0001Pn-Mh; Mon, 05 Apr 2021 20:01:37 -0700
From: "Jim Fenton" <fenton@bluepopcorn.net>
To: "Sam Whited" <sam@samwhited.com>
Cc: "KITTEN Working Group" <kitten@ietf.org>
Date: Mon, 05 Apr 2021 20:01:34 -0700
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <AA7EE33C-B172-4288-A79E-5039C23A2A33@bluepopcorn.net>
In-Reply-To: <b72c8211-07ce-467c-9476-faa0354736a1@www.fastmail.com>
References: <E4D53992-EFFD-4938-8427-D276B5A0A178@bluepopcorn.net> <b72c8211-07ce-467c-9476-faa0354736a1@www.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format=flowed; markup=markdown
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/MHX7POUsSGYOIl2gyi71qKMwplM>
Subject: Re: [kitten] Comments on draft-ietf-kitten-password-storage-04
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 03:01:43 -0000


On 1 Apr 2021, at 14:02, Sam Whited wrote:

> Thank you for your feedback! I think I have addressed all of these
> issues (and will upload a new version soon) except for:
>
> On Sat, Mar 20, 2021, at 20:31, Jim Fenton wrote:
>> 4.1: I’m concerned that the MUST NOT here conflicts with the SHOULD
>>      NOT regarding OBSOLETE and LIMITED mechanisms in Section 2. Of
>>      course, MD5 is not an SASL mechanism per se, and “support any
>>      mechanism” in this context may not necessarily mean an SASL
>>      mechanism, but I still found this vaguely confusing.
>
> I thought of this as just further refining the guidance from section 
> 2.
> You SHOULD NOT use anything from a specific list, and MUST NOT use
> anything that meets these criteria (which may include things that are 
> on
> the list and things that aren't). However, perhapse the SHOULD NOT in
> section 2 should become a MUST NOT? Re-reading it I'm not sure why I 
> put
> SHOULD NOT there.

I haven’t looked at the specific mechanisms that might be marked 
OBSOLETE or LIMITED, but making that a MUST NOT would ensure that there 
aren’t conflicting requirements. If you do want to have one 
requirement refine the other, it would be better put them together and 
connect them with an “and”.

>> 5.2: Bcrypt is no longer the current (top) OWASP recommendation.
>
> Interestingly, I had argon2id as the top recommendation in an
> earlier draft of this document then they changed it back to bcrypt.
> I'll swap it back.

More generally, it’s probably not a good idea to cite the “current 
OWASP recommendation”, because that will probably change over time, 
while the RFC resulting from this draft won’t.

>> 7: Suggest saying something about Unicode characters and password
>>    length
>
> Good idea. I updated this to suggest counting grapheme clusters,
> which I believe is going to be better than counting scalar values,
> but I'm not sure that it's ideal either. Many languages probably
> don't have an implementation of the segmentation algorithm, and it
> adds a lot of complexity to calculating password lengths. Other
> suggestions welcome. Because of the uncertainty I did not use any
> normative language here for now.
>
> I also couldn't find an existing reference for Unicode Standard Annex
> reports. Is there a bibliography somewhere that includes these which I
> could reference instead of making up a new ref?

There’s a reference at 
https://pages.nist.gov/800-63-3/sp800-63b.html#ISOIEC10646 but I see 
that it no longer works. I’ll look around for a better one.

-Jim

v2.8.7 | Report a Bug | By Email