Re: [kitten] Register too long SASL mechs?
Simon Josefsson <simon@josefsson.org> Wed, 26 May 2021 17:13 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id A9A613A0C88;
Wed, 26 May 2021 10:13:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral
reason="invalid (unsupported algorithm ed25519-sha256)"
header.d=josefsson.org header.b=b8uuv5B+; dkim=pass (2736-bit key)
header.d=josefsson.org header.b=upd/426C
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id tEj0PyH6EubE; Wed, 26 May 2021 10:13:14 -0700 (PDT)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id A77253A0C82;
Wed, 26 May 2021 10:13:13 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed;
d=josefsson.org; s=ed2101; h=Content-Type:MIME-Version:Message-ID:In-Reply-To
:Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding
:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=TOrJ14l3OSLpm6XOHTx7dj7qX9yEOcSeOHdxMPSlCXM=; t=1622049193; x=1623258793;
b=b8uuv5B+xtQceTrK2Z1RV5JH6Yg4RysOk26hF4UkWtUCbR5iWQG7ODitUTnWYfa0eyBnBqQ8rk
DUETxVyD4QDw==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=josefsson.org; s=rsa2101; h=Content-Type:MIME-Version:Message-ID:
In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To:
Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=TOrJ14l3OSLpm6XOHTx7dj7qX9yEOcSeOHdxMPSlCXM=; t=1622049193; x=1623258793;
b=upd/426C0GC8rRdU8tRMfLSXwIo3g8aP4Go100o+VkmjVmqPFC6ST2szN047pxMnCf0gMSq2PZ
MhsHAPKlsOMmWfa+L4sRAnU5Eswi39yQireWqCVtMEVflr5JLejAXE22Ot7vKRYn9v41OVIpVoKr7
klC4EjHWdSi+pLQMIgHpquU8BT3gvnoO+SMJeSBOpvVnm+HoDbSYbUbVirb5tAxuffLvFZbwuT5Xs
6HaMEzTAENbPE14/UcPw783IJhFT4cBGWHzsa6NUUP0/8vxsMl5uhF1XcDLtxfxJH+0sXTbJEX7Rr
USKYCO2gYJAxPCr2dTzACxMZ9WbkqedVCYihNyQqEGmldP5fVw1Pr+qO64gTFvAV8rDL/iMUqLHBU
XPEbBAjNmLINzGxPzIYVhaCAg7pi8+XLFBHiqBSN//qtqJ/5Rd7YIBZP1yCALVvQHLdH2RnAdD
;
Received: from [2001:9b1:41ac:ff00:8936:9e30:3f84:63a6] (port=45486 helo=latte)
by uggla.sjd.se with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.92) (envelope-from <simon@josefsson.org>)
id 1llx5f-0000LU-5Z; Wed, 26 May 2021 17:13:07 +0000
From: Simon Josefsson <simon@josefsson.org>
To: Simo Sorce <simo@redhat.com>
Cc: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, kitten@ietf.org
References: <87im35a9mi.fsf@latte.josefsson.org>
<8b6082df6e3fc913a0ea1cc3ae31350cc81b8738.camel@redhat.com>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE;
url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:22:210526:kitten@ietf.org::iUExL5Eqmnpw3YJs:0myK
X-Hashcash: 1:22:210526:simon=40josefsson.org@dmarc.ietf.org::h4bkCc1woxsykKKe:0yMx
X-Hashcash: 1:22:210526:simo@redhat.com::a93+ZykdfyqIbfkj:Fw/4
Date: Wed, 26 May 2021 19:13:06 +0200
In-Reply-To: <8b6082df6e3fc913a0ea1cc3ae31350cc81b8738.camel@redhat.com> (Simo
Sorce's message of "Wed, 26 May 2021 12:39:49 -0400")
Message-ID: <875yz5a065.fsf@latte.josefsson.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha256; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/YUKRr_C1RBD42rQQzQ01r1D7-6U>
Subject: Re: [kitten] Register too long SASL mechs?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>,
<mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>,
<mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2021 17:13:21 -0000
Simo Sorce <simo@redhat.com> writes: > On Wed, 2021-05-26 at 15:48 +0200, Simon Josefsson wrote: >> Hi! There is a request to register the ECDH-X25519-CHALLENGE and >> ECDSA-NIST256P-CHALLENGE mechanism names in the IANA SASL registry. The >> policy is First Come First Serve, so there is no real requirement of a >> standard or anything, however the names are longer than the 20 character >> limit imposed by RFC 4422. Supposedly these are already deployed and >> have been used in the wild for a couple of years already. >> >> Some references: >> https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml >> https://github.com/atheme/atheme/blob/master/modules/saslserv/ecdh-x25519-challenge.c >> https://github.com/kaniini/ecdsatool#mechanism-spec >> >> As far as I can see, we have some options: >> >> 1) Just let IANA register these names even if they are non-compliant. >> >> 2) Don't formally register them but mention them on the IANA page to >> avoid any interop problems and allowing people to find out what these >> are. >> >> 3) Refuse registration since tey are non-compliant. >> >> I prefer 2) but could live with 1) as well. I don't think it is in the >> best interest of anybody that registration is refused on technicalities. >> Maybe this post is sufficient to make relevant parties aware of what is >> happening, and IANA can continue with 1). >> >> Thoughts? >> >> Pursuing standardization, or publishing a stable specification, of the >> mechanisms is orthogonal to registration, but would be useful. > > Is there any risk that using those names can cause issues to an > implementation that conforms to RFC 4422 ? Any implementation that don't support them would reject them as unknown/invalid. If it causes a vulnerability, that should be fixed anyway. So, no, not really, as far as I can see. My biggest concern is that if we register them formally, we introduce an inconsistency with RFC 4422, and should there ever be an RFC describing them, that ought to extend RFC 4422 to increase permitted length and I'm not sure that is a good idea. IANA suggested that we can add a 'Note:' section to the registry where these mechanisms are mentioned, including that they don't conform to the particular format imposed by RFC 4422. /Simon
- [kitten] Register too long SASL mechs? Simon Josefsson
- Re: [kitten] Register too long SASL mechs? Simo Sorce
- Re: [kitten] Register too long SASL mechs? Simon Josefsson
- Re: [kitten] Register too long SASL mechs? Robbie Harwood
- Re: [kitten] Register too long SASL mechs? Alexey Melnikov
- Re: [kitten] Register too long SASL mechs? Simo Sorce
- Re: [kitten] Register too long SASL mechs? Jeffrey Altman
- Re: [kitten] Register too long SASL mechs? Simon Josefsson
- Re: [kitten] Register too long SASL mechs? David Lloyd