Re: [kitten] I-D: Best practices for password hashing and storage
Dave Cridland <dave@cridland.net> Thu, 30 April 2020 10:51 UTC
Return-Path: <dave@cridland.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40D993A0934 for <kitten@ietfa.amsl.com>; Thu, 30 Apr 2020 03:51:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mYoOSWK3h49g for <kitten@ietfa.amsl.com>; Thu, 30 Apr 2020 03:51:43 -0700 (PDT)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37E6C3A0930 for <kitten@ietf.org>; Thu, 30 Apr 2020 03:51:43 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id i10so6278540wrv.10 for <kitten@ietf.org>; Thu, 30 Apr 2020 03:51:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OwMNtZ4kVJ5izLNCZoEimVAS93C5JeVmV45Z8uADJaQ=; b=exWP2RRrS9R2q7ytNHLMB6QXeyg0jtKb+Fog5o2DrZvOKSex8yqr4FCSK6/uDbTlm2 oFr0/funl0YoyG2/GONfm/7DiAT7T/9ypmEk2pzzGqSdr8YOghJvmqHafCbqOYS9umuf ywYp24unME4gvG3hGHv8uN8HfOI0I2QShPffE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OwMNtZ4kVJ5izLNCZoEimVAS93C5JeVmV45Z8uADJaQ=; b=oLJI7LsNNSzOi0oGhU9GNHGAjnMFgE2IewS1zLIAZi1Y5VcyOcUG8+Cygx4wu/j6CL LDM/y/glmJO+K+9Y8dsMhG2oJg1UgQ8aHcXa4X3mdcFy5wV+S0ZcnpAblUJ9Z0YWqZG9 9QDoq9NQN+ez1ETXzxQLj/zAq10HnCXlPiIDzVMTySYo+hOxkgU/zPLhH8bD/xGNRJMZ FZeH02kSNRo3a8ytYcEByWzt9RZUbAHcbPkGa+I0/USPfSdXcP3U5eUX57qHk4ro23fO lFzpYDFnc8oaVd68zFJhNIrXljZpeeiDxaA8sPjjYN9/KqlQ9XEQFvrH8yziti9mXo6A cJhw==
X-Gm-Message-State: AGi0PuZ+w5to1cIaOfJpGu+JMbSq/AFGjHwRem0QSEpzKjgmWLzZ+M2j WSU6bmFVUVq6bjY3sXl5rlU9zp7TqmueAPd19SOOrw==
X-Google-Smtp-Source: APiQypL82Eeh8dFpQekBxFw80KqGai+XEfQS1ur3kO8YX2/JAggs+X4XrgrQg3wXiT0Ywj4FNWl1wUJ1s0VWQB4Nye4=
X-Received: by 2002:a5d:54d0:: with SMTP id x16mr3301642wrv.86.1588243901487; Thu, 30 Apr 2020 03:51:41 -0700 (PDT)
MIME-Version: 1.0
References: <feda3e13-dc28-4f8e-8360-90853f649add@www.fastmail.com> <jlg7dxy2rpx.fsf@redhat.com> <23661358-b62e-40ed-b209-0551edf4ac8f@www.fastmail.com> <20200430031415.GJ27494@kduck.mit.edu>
In-Reply-To: <20200430031415.GJ27494@kduck.mit.edu>
From: Dave Cridland <dave@cridland.net>
Date: Thu, 30 Apr 2020 11:51:30 +0100
Message-ID: <CAKHUCzxTgVKXsyvDsU2RVOvUe4fO6DvzkPQx=cH3Dig1=hjdNg@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Sam Whited <sam@samwhited.com>, KITTEN Working Group <kitten@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000090b24a05a47fd990"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/UvvlYoAsd4ChqIkzuFnxBW71X24>
Subject: Re: [kitten] I-D: Best practices for password hashing and storage
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2020 10:51:46 -0000
A tiny bit of background: https://xmpp.org/extensions/inbox/password-storage.html was submitted to the XMPP Standards Foundation [think somewhere between an I-D publication and a WG adoption request], and while the Council [WG chair/IESG] is happy to accept it, pretty much everyone seems to agree that if this can go through IETF/KITTEN instead, it'll be a better document for it. But everything else that's taken this route has sunk without trace, so we're likely to publish the XEP (as Experimental - akin to WG I-D) anyway, and then we can retract it if it actually does take root here. At least on my part, this is an intentional policy change to ensure that the document is reviewed and published *somewhere*. Previously I have tended to block these kinds of documents and force them to the IETF (and KITTEN). As a result we have (for example) multiple SASL mechanism proposals effectively dead in the water, and so expediency somewhat forces this dual-publication approach. There are a number of people interested in this document in the XSF, but previous attempts having failed, we will have to spend some effort to encourage people from the XSF to come here and participate. I personally think that would be effort well-spent. Thanks, Dave. On Thu, 30 Apr 2020 at 04:14, Benjamin Kaduk <kaduk@mit.edu> wrote: > On Wed, Apr 29, 2020 at 05:37:06PM -0400, Sam Whited wrote: > > On Wed, Apr 29, 2020, at 12:15, Robbie Harwood wrote: > > > In order for adoption to occur, I'd like to see expressed interest > > > from multiple folks in the WG (and a formal call for adoption). > > > > That sounds good; how does that normally happen? Should I start hounding > > people, or is this email sufficient? (/cc Dave Cridland who I think is > > involved and who encouraged me to submit this I-D). > > I would probably give the original mail a week or so bake time and see what > response it elicits before going out of your way to get further review. > That said, if you know of people who would be interested but are not on > this list, by all means invite them to comment here. > > -Ben > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten >
- [kitten] I-D: Best practices for password hashing… Sam Whited
- Re: [kitten] I-D: Best practices for password has… Simon Josefsson
- Re: [kitten] I-D: Best practices for password has… Sam Whited
- Re: [kitten] I-D: Best practices for password has… Robbie Harwood
- Re: [kitten] I-D: Best practices for password has… Sam Whited
- Re: [kitten] I-D: Best practices for password has… Benjamin Kaduk
- Re: [kitten] I-D: Best practices for password has… Dave Cridland
- Re: [kitten] I-D: Best practices for password has… Sam Whited
- Re: [kitten] I-D: Best practices for password has… Robbie Harwood