Re: [kitten] [Technical Errata Reported] RFC6616 (7074)
Simon Josefsson <simon@josefsson.org> Sat, 06 August 2022 14:05 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3F27C14F74F; Sat, 6 Aug 2022 07:05:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b=L2e3hktl; dkim=pass (2736-bit key) header.d=josefsson.org header.b=uj/q5iNI
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WIsSe1UXfkql; Sat, 6 Aug 2022 07:05:15 -0700 (PDT)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82496C14F74E; Sat, 6 Aug 2022 07:05:14 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2110; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=jovUhjVfIUFtEwUMWXR4i8zLqDA6p3OwLmCB1SYBkaY=; t=1659794714; x=1661004314; b=L2e3hktl29hFz/zsIBFJb6q2yq07/N9mVLrTzu4Rm/oq5Ic4C3BhubbFdyg5JZdfZ5axpTQjGDy bibkkvr3qCA==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2110; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=jovUhjVfIUFtEwUMWXR4i8zLqDA6p3OwLmCB1SYBkaY=; t=1659794714; x=1661004314; b=uj/q5iNIdNW0zKFMkYBLH582fVb9tm7BQcMOFMFMldB1D1CFKkuWjM2f6xZ0j7XLQmmKMnDwou8 rb04vlZqRZczDEQmYIypYRztxlNK3YGXFwrHsATjVZedIFV/lKSPoYbRlIKnbKc1VBvLzxbYRZ7en s6HzvJGUeZGXuDyc6X6tydECNU/bVcxQqFNT0oOGuS32pLaYMbsL5kswaRNDFVnAPZVm5dnw4/1yt A/l+Wx/Z+vWotBxwdUnopDz1BcEjpmBgMbop4pmnxqAIJVvlqsmT0lIqQO4WJnwm1eKF+bjJKwhms P/quNnxuKNaZ5YmEydNV7LuaZFvF72KIw+ps5CMsRfuhzBqhFE4n210GcyEhhSMCBUpwDlxzOOIvL 6HuF54EVUyZxZCYbGEIAyz7Q/cpVmYum7m+Niy7fvOgubJEcK55AOVSiJIozguCtAac/2yUGd;
Received: from [2001:9b1:41ac:ff00:e0bc:1189:b201:8631] (port=37590 helo=latte) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <simon@josefsson.org>) id 1oKKQL-00BWia-Lk; Sat, 06 Aug 2022 16:05:04 +0200
From: Simon Josefsson <simon@josefsson.org>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: lear@cisco.com, Hannes.Tschofenig@gmx.net, hmauldin@cisco.com, rdd@cert.org, paul.wouters@aiven.io, alexey.melnikov@isode.com, me@dequbed.space, kitten@ietf.org
References: <20220806132612.AFB8C119FC@rfcpa.amsl.com>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:22:220806:hmauldin@cisco.com::3BoPZ6Ld84NqjiSU:7p5
X-Hashcash: 1:22:220806:lear@cisco.com::k8js53df3Ffyfpmm:KCP
X-Hashcash: 1:22:220806:rdd@cert.org::PCRIspHauhjl2kLx:7l3w
X-Hashcash: 1:22:220806:rfc-editor@rfc-editor.org::ZfAuyBm2pwFjKPcp:5o+5
X-Hashcash: 1:22:220806:kitten@ietf.org::OIBuycE+c4FnsJTi:ObNZ
X-Hashcash: 1:22:220806:paul.wouters@aiven.io::a+XAoF0bCoAk1xyr:FWdv
X-Hashcash: 1:22:220806:me@dequbed.space::RqOwzEezN0wWpzaw:Uhiu
X-Hashcash: 1:22:220806:hannes.tschofenig@gmx.net::idfbMBp4eo8s1cfL:XHJ7
X-Hashcash: 1:22:220806:alexey.melnikov@isode.com::nJGCopLgliX+DQQk:aH4m
Date: Sat, 06 Aug 2022 16:05:03 +0200
In-Reply-To: <20220806132612.AFB8C119FC@rfcpa.amsl.com> (RFC Errata System's message of "Sat, 6 Aug 2022 06:26:12 -0700 (PDT)")
Message-ID: <87iln5tqls.fsf@latte.josefsson.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/SHEfj-OZlpN1RFZ994mTjacMJMs>
Subject: Re: [kitten] [Technical Errata Reported] RFC6616 (7074)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Aug 2022 14:05:21 -0000
I agree. /Simon RFC Errata System <rfc-editor@rfc-editor.org> writes: > The following errata report has been submitted for RFC6616, > "A Simple Authentication and Security Layer (SASL) and Generic > Security Service Application Program Interface (GSS-API) Mechanism for > OpenID". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid7074 > > -------------------------------------- > Type: Technical > Reported by: Nadja Reitzenstein <me@dequbed.space> > > Section: 2.1 > > Original Text > ------------- > The nonce value MUST be at least 2^32 bits and large enough to > handle well in excess of the number of concurrent transactions > a SASL server shall see. > > Corrected Text > -------------- > The nonce value MUST be at least 32 bits and large enough to > handle well in excess of the number of concurrent transactions > a SASL server shall see. > > Notes > ----- > A nonce of 512MiB is rather excessive to be generated for every authenticating client. > > As this nonce also has to be transported within the URI sent to both > the SASL client and called by the OIDC IdP the Note in section 3.2.1 > of RFC 2616 seems to apply: > "Servers ought to be cautious about depending on URI lengths above 255 > bytes, because some older client or proxy implementations might not > properly support these lengths." > > A lower bound requirement of 32 bits for the nonce seems more > appropiate; most platforms are able to efficiently handle 32-bit > integers and is still likely to prevent a brute-force attack given the > HTTP request overhead. > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC6616 (draft-ietf-kitten-sasl-openid-08) > -------------------------------------- > Title : A Simple Authentication and Security Layer (SASL) and Generic > Security Service Application Program Interface (GSS-API) Mechanism for > OpenID > Publication Date : May 2012 > Author(s) : E. Lear, H. Tschofenig, H. Mauldin, S. Josefsson > Category : PROPOSED STANDARD > Source : Common Authentication Technology Next Generation > Area : Security > Stream : IETF > Verifying Party : IESG
- [kitten] [Technical Errata Reported] RFC6616 (707… RFC Errata System
- Re: [kitten] [Technical Errata Reported] RFC6616 … Simon Josefsson