IETF Logo Mail Archive

Re: [kitten] Register too long SASL mechs?

Simo Sorce <simo@redhat.com> Thu, 27 May 2021 13:31 UTC

Return-Path: <simo@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38AC73A0B8C for <kitten@ietfa.amsl.com>; Thu, 27 May 2021 06:31:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZCbI8x2cq9Df for <kitten@ietfa.amsl.com>; Thu, 27 May 2021 06:31:37 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B77973A0B8B for <kitten@ietf.org>; Thu, 27 May 2021 06:31:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1622122296; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CwQvG3NFAfR6RLBaK/e3dodexsgSiExZzeAQn5Auxao=; b=D7OdBeHMgV6iETWayIuOTqgiDShXunR0XsVtmTdSMajqh3CIvpanMKgpLhxZnFPAIvTiB7 A3DD0uUkDoIV+i+V6I+uDTaECNKQDeQwoCyUxx0yMchLWdNtd9LcE9StW2/SbHVLamDbf9 MjVjYMzX75jMaNe/5J/8eqP1D0RBd1M=
Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com [209.85.219.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-246-xBt_Q8XuNIeMXPlwBR9GHw-1; Thu, 27 May 2021 09:31:32 -0400
X-MC-Unique: xBt_Q8XuNIeMXPlwBR9GHw-1
Received: by mail-qv1-f70.google.com with SMTP id n3-20020a0cee630000b029020e62abfcbdso66621qvs.16 for <kitten@ietf.org>; Thu, 27 May 2021 06:31:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:organization:user-agent:mime-version :content-transfer-encoding; bh=CwQvG3NFAfR6RLBaK/e3dodexsgSiExZzeAQn5Auxao=; b=Q6rm4dqg7wsZpt9h9gQdQHvWgCZiiXZfD71NcNHWYr/mWDKQuuF54FxFCh35X1vm3A sdBxBJNPBpLH7yEzaJZAzmwaIyTSqnVA88USR1gevOyybkJFsuVCkrx+eChvjNazgsN4 LGAC6GvVUjFeZ/8XIs3nbJO7Oif2w7a1TJZWWynaWhKjuQ1d0tstR6cfDfAMNOHN/ycw +uJ7UhVGrRoFzJVEiSsjClFRsIyEHlsxtHRX4jZLtATui/vddoX3NGBNs3BclXpbim7W I81pm1tjs+irGZ13yFn/aLdt9+iPwxj0+OWHMCNdf4Z0kAxwogN4BrhE79sELEkxrq73 xw4A==
X-Gm-Message-State: AOAM530wcGb64WSf37S7mrcQbeCsc2LuKFzrwBP+PbWG66as3PRk3ot0 DGynxKPRWrPI/ihBla4SjB/UBk0RFgMLME1jfafr2mUI5o5Rp3yq6z4jOdJzAbpIXubT4f6La5i SfZ6T0Vc=
X-Received: by 2002:a05:620a:2215:: with SMTP id m21mr3368976qkh.61.1622122292165; Thu, 27 May 2021 06:31:32 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwsXusD+9L/vrysknMvIip+omf7gWdX953TckBuqa92mGQmtOxGvnztapM/x8cf3hYN4TywMQ==
X-Received: by 2002:a05:620a:2215:: with SMTP id m21mr3368950qkh.61.1622122291975; Thu, 27 May 2021 06:31:31 -0700 (PDT)
Received: from ?IPv6:2603:7000:9400:fe80::baf? (2603-7000-9400-fe80-0000-0000-0000-0baf.res6.spectrum.com. [2603:7000:9400:fe80::baf]) by smtp.gmail.com with ESMTPSA id f19sm1402412qkg.70.2021.05.27.06.31.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 May 2021 06:31:31 -0700 (PDT)
Message-ID: <274ccb6cd47a8445530a6954ad745ec123df5f73.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>, Simon Josefsson <simon@josefsson.org>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Date: Thu, 27 May 2021 09:31:30 -0400
In-Reply-To: <33cbe559-7b1f-af49-88f7-3ce1bea14bdd@isode.com>
References: <87im35a9mi.fsf@latte.josefsson.org> <8b6082df6e3fc913a0ea1cc3ae31350cc81b8738.camel@redhat.com> <33cbe559-7b1f-af49-88f7-3ce1bea14bdd@isode.com>
Organization: Red Hat
User-Agent: Evolution 3.38.4 (3.38.4-1.fc33)
MIME-Version: 1.0
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=simo@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/_Nkt_k0i1gSB6eOqIlbvLA9xBo0>
Subject: Re: [kitten] Register too long SASL mechs?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2021 13:31:42 -0000

On Thu, 2021-05-27 at 10:28 +0100, Alexey Melnikov wrote:
> Hi Simo,
> 
> [I sent this message just to Simo by mistake. Resending.]
> 
> 
> On 26/05/2021 17:39, Simo Sorce wrote:
> 
> > On Wed, 2021-05-26 at 15:48 +0200, Simon Josefsson wrote:
> > > Hi! There is a request to register the ECDH-X25519-CHALLENGE and
> > > ECDSA-NIST256P-CHALLENGE mechanism names in the IANA SASL registry. The
> > > policy is First Come First Serve, so there is no real requirement of a
> > > standard or anything, however the names are longer than the 20 character
> > > limit imposed by RFC 4422. Supposedly these are already deployed and
> > > have been used in the wild for a couple of years already.
> > > 
> > > Some references:
> > >   https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml
> > >   https://github.com/atheme/atheme/blob/master/modules/saslserv/ecdh-x25519-challenge.c
> > >   https://github.com/kaniini/ecdsatool#mechanism-spec
> > > 
> > > As far as I can see, we have some options:
> > > 
> > > 1) Just let IANA register these names even if they are non-compliant.
> > > 
> > > 2) Don't formally register them but mention them on the IANA page to
> > > avoid any interop problems and allowing people to find out what these
> > > are.
> > > 
> > > 3) Refuse registration since tey are non-compliant.
> > > 
> > > I prefer 2) but could live with 1) as well. I don't think it is in the
> > > best interest of anybody that registration is refused on technicalities.
> > > Maybe this post is sufficient to make relevant parties aware of what is
> > > happening, and IANA can continue with 1).
> > > 
> > > Thoughts?
> > > 
> > > Pursuing standardization, or publishing a stable specification, of the
> > > mechanisms is orthogonal to registration, but would be useful.
> > Is there any risk that using those names can cause issues to an
> > implementation that conforms to RFC 4422 ?
> 
> Possibly. RFC 4422 defines:
> 
>    sasl-mech    = 1*20mech-char
> 
> so if an implementation is using a fixed size buffer, there might be 
> some issues.
> 
> It is harder to know whether there are any implementations which 
> actually use fixed length buffer for SASL mechanism names.

Given there may be implementations that explicitly or implicitly may
enforce this limit, perhaps (2) is the correct option?

Legitimizing (via option 1) names that could "break" implementations
doesn't sound great to me, unless there is an intention to change the
standard to allow longer names.

Simo.

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc

v2.8.7 | Report a Bug | By Email