Re: [kitten] Fwd: I-D Action: draft-melnikov-scram-2fa-00.txt

Alexey Melnikov <alexey.melnikov@isode.com> Thu, 19 March 2020 16:24 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCD743A08B8 for <kitten@ietfa.amsl.com>; Thu, 19 Mar 2020 09:24:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dDtnpGBvZAs6 for <kitten@ietfa.amsl.com>; Thu, 19 Mar 2020 09:24:25 -0700 (PDT)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id 5DF533A08B2 for <kitten@ietf.org>; Thu, 19 Mar 2020 09:24:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1584635059; d=isode.com; s=june2016; i=@isode.com; bh=6Ofug0pk0VQ+iuwI856gCCt7oWabJ+nr8Zfj0q/q7qQ=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=eJSFRE2+CGOZNAUtjO47baNEV9ezI9j40vmzVL5as398yaJufowYg0TPDBCq9Pev5R9jeM cL0pzDe9FW4g5XwDuNjzcyi9z3OM5Nf8kGPn8EHPGOOI36bPZzkhjjchxXPmWAFGAfGYqa RqEGtfwZn31mjiFmDhYYFFEHFIUkD2g=;
Received: from [192.168.1.216] (host81-154-46-147.range81-154.btcentralplus.com [81.154.46.147]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <XnOcsgBtNZP6@waldorf.isode.com>; Thu, 19 Mar 2020 16:24:19 +0000
To: Florian Schmaus <flo@geekplace.eu>, kitten@ietf.org
References: <158462386052.13384.7911173297625270492@ietfa.amsl.com> <1330abb0-f0ae-3399-0486-4d7f7ff63267@isode.com> <7b8fc0af-a0e4-6c13-8bcd-da6be3b70cc6@geekplace.eu>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <2a4d603c-7538-01e5-9e65-58ae6052b9ef@isode.com>
Date: Thu, 19 Mar 2020 16:24:17 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
In-Reply-To: <7b8fc0af-a0e4-6c13-8bcd-da6be3b70cc6@geekplace.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/Uk8FJpU5b1-6NzJ96O0E9hfCxnw>
Subject: Re: [kitten] Fwd: I-D Action: draft-melnikov-scram-2fa-00.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2020 16:24:27 -0000

Hi Florian,

On 19/03/2020 13:53, Florian Schmaus wrote:
> On 3/19/20 2:25 PM, Alexey Melnikov wrote:
>> Hi all,
>>
>> As I had various conversations with people saying that SASL doesn't
>> support 2 factor authentication, I posted a short draft which shows how
>> to add 2 factor authentication to SCRAM. This is mostly a proof of
>> concept and I am planning to work on another draft explaining how to do
>> the same for SASL OAUTH.
>>
>> (If I remember correctly I also talked to Dave Cridland about doing a
>> more generic extension to the SASL framework itself by allowing
>> protocols to invoke multiple SASL mechanism in a sequence and achieving
>> 2FA that way. I would be interested in developing this concept as well,
>> but it would take longer than just extending some existing SASL mechanisms.)
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-melnikov-scram-2fa/
>>
>> If people can have a look and provide feedback, that would be much
>> appreciated.
> How does the client discover that the SCRAM 2FA extension is required?
> Is it encoded in the SASL mechanism name, akin to SCRAM -PLUS?

It could be done this way.

I was also thinking about not introducing new SASL mechanism names and 
just add a mandatory attribute in the first message from the server to 
the client.

If you have an opinion on these options, please let me know.

Best Regards,

Alexey