IETF Logo Mail Archive

Re: [kitten] Comments on draft-ietf-kitten-password-storage-00

Ludovic BOCQUET <lbxmpp@live.com> Thu, 29 October 2020 22:48 UTC

Return-Path: <lbxmpp@live.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75D063A084D; Thu, 29 Oct 2020 15:48:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.099
X-Spam-Level:
X-Spam-Status: No, score=-1.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=live.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1HJu7UQcP2C3; Thu, 29 Oct 2020 15:48:53 -0700 (PDT)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11olkn2070.outbound.protection.outlook.com [40.92.19.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FE743A0317; Thu, 29 Oct 2020 15:48:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=htJnG/67zwGwOWC2k0Cju3l6X3p/lhxQ7GrtX9hz3R4HEfM7T8WaZWCoOp98NeodQUNR6O3R/QFK/HWJcoS3sBqhvUarww2RGwvY7wg/dk4bOkRTLXLe1qvT9u89zoE4v9JcFrCrILgKjstJv+gBPlDTmUK5/I03KaVzsIl/gecfOIldSSoKZcC53xIPSajr3z0A9+RHRGFojcInnJMCNAsq8k3JWxw9vk0c4xP8Dwv+c78XPGdMZpOsFbsvraZ+DW8tAcJ5sQraO468Vj/3wRj+li7Oq8QQo2fT9MCXSzCNdtvwQK3PTCxyxY/B4ra/5Z7hxwDbv/VditBxRMyr9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=U25Gki4eWYDvyTzP/XsrhP84CXm8rRBYed3/hGQwr2M=; b=OhGfTmlHcH1obPCwd3UCFJcaGQF2QfgGISMlt4vqYR0cb8Sz6TMr81Q8VVtcdXzPAELNPJuSvKDk5VIAOMoGVC3lRz96SFWDsvRu/ZGvfVUaPH0mbD4PcYZz20/gZTGiiBFz32fR69e/wcDO0Dg6R3/8pwkHWvRFdmBDQv2cPA5/17YRAxhTYAXxrboaLWAfFmrniMtsaYicNZ6Wwqg0O6EvjSLte3ILoTSnB7RXNSMC5POiPVuRSPqsQYkdxX/XSF6tpsg3rNm6OlXUhTUZcHIpAKPAlyswPxt0/FPRgrrEmQU0oy97klY9o0QrCf6KztRDn9vwZF8Ua0I8RnPeNA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=U25Gki4eWYDvyTzP/XsrhP84CXm8rRBYed3/hGQwr2M=; b=kduDfJVNMjciCQhC+6d8puJAu+Pf4ogFYxbFRV4npbzrVXO7eXEQUF/8var9/RjpPIWULtIKc9vOE0Mnv8Fqk9Sqm6CQUP8mveipWiNJltOLNxJzOJqRQ7lb23kbF6wWZUL87N9j3wT8Au5ex4SbAlHsoJjB7sGXiAYtAi4PjbAbBGW8KcASdtwSS5WZZdcM8hB/fiAMUuVHx4B1JzVwsgXVWr+U65dh7Ns/dzN/hcK578ZP7vIR+r5jsojfa7sspi5bwODej8dep+E0/oKDGj82qoLWXJNV5MbMYqbeSEPfXyKoIuVvobKEBcA9yiOOyqvbzX4AYBr1xYAY/F4oaw==
Received: from DM6NAM11FT058.eop-nam11.prod.protection.outlook.com (2a01:111:e400:fc4d::41) by DM6NAM11HT256.eop-nam11.prod.protection.outlook.com (2a01:111:e400:fc4d::425) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.18; Thu, 29 Oct 2020 22:48:48 +0000
Received: from DM5PR14MB1308.namprd14.prod.outlook.com (2a01:111:e400:fc4d::4d) by DM6NAM11FT058.mail.protection.outlook.com (2a01:111:e400:fc4d::216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3520.17 via Frontend Transport; Thu, 29 Oct 2020 22:48:48 +0000
Received: from DM5PR14MB1308.namprd14.prod.outlook.com ([fe80::f1a5:adad:5758:2de4]) by DM5PR14MB1308.namprd14.prod.outlook.com ([fe80::f1a5:adad:5758:2de4%10]) with mapi id 15.20.3499.027; Thu, 29 Oct 2020 22:48:48 +0000
From: Ludovic BOCQUET <lbxmpp@live.com>
To: Robbie Harwood <rharwood@redhat.com>, Jim Fenton <fenton@bluepopcorn.net>, "kitten@ietf.org" <kitten@ietf.org>
CC: "draft-ietf-kitten-password-storage@ietf.org" <draft-ietf-kitten-password-storage@ietf.org>
Thread-Topic: [kitten] Comments on draft-ietf-kitten-password-storage-00
Thread-Index: AQHWgx8GB467h9kG20m5bHwptIPHSal0/TqAgDqFl7Q=
Importance: high
X-Priority: 1
Date: Thu, 29 Oct 2020 22:48:48 +0000
Message-ID: <DM5PR14MB130837085BB6E5FB1B592469B8140@DM5PR14MB1308.namprd14.prod.outlook.com>
References: <6dde1303-3d0c-6811-c201-00edbe5ab84e@bluepopcorn.net>, <jlgk0wleoi6.fsf@redhat.com>
In-Reply-To: <jlgk0wleoi6.fsf@redhat.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:D0FC931A60BFE00E20C8FE2E3A327D2C47A25064A1F6D2B7F711C961F25B2164; UpperCasedChecksum:84C9634737A82C78810C1D015A3E8FDE060D04BC5A9948750222C5A28C8F7C3B; SizeAsReceived:7043; Count:47
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [NGPP1rPWWe44k8PRl70tMHHgJC0sB2s8]
x-ms-publictraffictype: Email
x-incomingheadercount: 47
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: 2ba04058-2925-4a5f-1a92-08d87c5ccc73
x-ms-traffictypediagnostic: DM6NAM11HT256:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EvQ+quZH5icILqJN4Yys9sFFjcKTi0vSXHMi/39S4xAiB4LDH2gO35mEJIjhrbJCNryHtyG12mKj6gfGbOnv0YiD/RCr65z8Ebk/N/BUF6jJUUnaw0IYLbgsdtl1DKp7wQqNHqfg9dmaXnhxkuR2pM0NtRKaWcixfKzB0W3OVn2dVtR9R1pGdPhdrzP7tV8ze6oYIPXOFtu9SMZQdUDPcbdemKAuvF8W1xMb1bBUEWnUFxL1K1RaTm5zJe8hB4Uu
x-ms-exchange-antispam-messagedata: lK2yzH3iyuur/swOgFmYd+Cbj5znoX60hG1ixakNgX1CHtc1kdZfqnG/fDZS+JhOBfjvsLKDLFcxf7/qaO3N2FzfRgu6Tj12ujYg3EHb/J1/XoXm1E4sWD9fovg15cJeEPxvXCFR4hSa8MYKluNFRA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM5PR14MB130837085BB6E5FB1B592469B8140DM5PR14MB1308namp_"
MIME-Version: 1.0
X-OriginatorOrg: live.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT058.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 2ba04058-2925-4a5f-1a92-08d87c5ccc73
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Oct 2020 22:48:48.0516 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6NAM11HT256
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/Fjkf-vWg2jySkqcwFyIQD9OlRX4>
Subject: Re: [kitten] Comments on draft-ietf-kitten-password-storage-00
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2020 22:48:56 -0000

Hello all,

I have done comments a long time ago about the previous draft-whited-kitten-password-storage but my changes are not here, the author has maybe forgotten it.

There are some problems here:

  *   SCRAM-SHA-1-PLUS, SCRAM-SHA-256-PLUS
  *   SCRAM-SHA-1, SCRAM-SHA-256

It must be:

  *   SCRAM-SHA-256-PLUS, SCRAM-SHA-256
  *   SCRAM-SHA-1-PLUS, SCRAM-SHA-1

Source: RFC8600: https://tools.ietf.org/html/rfc8600

  *   "When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802])"

In the same time, I think that we must to add two new official SCRAM drafts of the same author of SCRAM:

Currently SCRAM-SHA-512-PLUS and SCRAM-SHA-512 are missing:
- https://tools.ietf.org/html/draft-melnikov-scram-sha-512

Currently SCRAM-SHA3-512-PLUS and SCRAM-SHA3-512 are missing:
- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

We can have:

  *   EXTERNAL
  *   SCRAM-SHA3-512-PLUS, SCRAM-SHA3-512
  *   SCRAM-SHA-512-PLUS, SCRAM-SHA-512
  *   SCRAM-SHA-256-PLUS, SCRAM-SHA-256
  *   SCRAM-SHA-1-PLUS, SCRAM-SHA-1
  *   PLAIN
  *   DIGEST-MD5, CRAM-MD5

Explanation:

  *   EXTERNAL
  *   SCRAM-SHA3-512-PLUS, SCRAM-SHA3-512 (my request based on RFC8600: from the best to the worst)
  *   SCRAM-SHA-512-PLUS, SCRAM-SHA-512 (my request based on RFC8600: from the best to the worst)
  *   SCRAM-SHA-256-PLUS, SCRAM-SHA-256 (my request based on RFC8600: from the best to the worst)
  *   SCRAM-SHA-1-PLUS, SCRAM-SHA-1 (my request based on RFC8600: from the best to the worst)
  *   PLAIN
  *   DIGEST-MD5, CRAM-MD5 (2 bad already with good order: from the best to the worst)

If you do not respect the RFC8600, it must be:

  *   EXTERNAL
  *   SCRAM-SHA3-512-PLUS, SCRAM-SHA-512-PLUS, SCRAM-SHA-256-PLUS, SCRAM-SHA-1-PLUS
  *   SCRAM-SHA3-512, SCRAM-SHA-512, SCRAM-SHA-256, SCRAM-SHA-1
  *   PLAIN
  *   DIGEST-MD5, CRAM-MD5

Explanation:

  *   EXTERNAL
  *   SCRAM-SHA3-512-PLUS, SCRAM-SHA-512-PLUS, SCRAM-SHA-256-PLUS, SCRAM-SHA-1-PLUS (good order: from the best to the worst)
  *   SCRAM-SHA3-512, SCRAM-SHA-512, SCRAM-SHA-256, SCRAM-SHA-1 (good order: from the best to the worst)
  *   PLAIN
  *   DIGEST-MD5, CRAM-MD5 (2 bad already with good order: from the best to the worst)

Thanks in advance.

Regards,

BOCQUET Ludovic


________________________________
From: Kitten <kitten-bounces@ietf.org> on behalf of Robbie Harwood <rharwood@redhat.com>
Sent: Tuesday, September 22, 2020 4:59 PM
To: Jim Fenton <fenton@bluepopcorn.net>; kitten@ietf.org <kitten@ietf.org>
Cc: draft-ietf-kitten-password-storage@ietf.org <draft-ietf-kitten-password-storage@ietf.org>
Subject: Re: [kitten] Comments on draft-ietf-kitten-password-storage-00

Jim Fenton <fenton@bluepopcorn.net> writes:

> Hi,
>
> I'm not generally up to speed on the work of the kitten WG, but someone
> pointed out this draft and thought I'd be interested, and I am. Please
> bear that in mind if some of my suggestions conflict with GSS-API,
> Kerberos, etc. And I'm not familiar with the various SASL mechanisms so
> don't have any comments on them.

Hi Jim, thanks for taking a look.

Sam, have you had a chance to take a look at the review?

Thanks,
--Robbie

v2.23.0 | Report a Bug | By Email