IETF Logo Mail Archive

Re: [kitten] Requesting WG adoption of several SCRAM related documents

Dave Cridland <dave@cridland.net> Fri, 07 January 2022 17:59 UTC

Return-Path: <dave@cridland.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED4E63A0EB4 for <kitten@ietfa.amsl.com>; Fri, 7 Jan 2022 09:59:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nokNdf1pw0rP for <kitten@ietfa.amsl.com>; Fri, 7 Jan 2022 09:59:37 -0800 (PST)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAA813A0EA9 for <kitten@ietf.org>; Fri, 7 Jan 2022 09:59:36 -0800 (PST)
Received: by mail-wr1-x42b.google.com with SMTP id o3so12492168wrh.10 for <kitten@ietf.org>; Fri, 07 Jan 2022 09:59:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1iAKMq6CUlEgLHbOvqcKRGr5irfywlpl7WpkjZu41os=; b=g7lj/VEXCCs7BEzbL7StdHZKQcy0v6U3+2uAuh2r6QxTmqwiBOTBdgL5lmutRp6LRm Qn0Mt+gJWkLS/RkxHmZw33bLYTjeNyLG44EnIWpGIqChCRNFWUwxwGhNE6Z0UlEho9Ag X38sJOxHcvvFp4NKqIArylZOJDi9PXwWUaJE8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1iAKMq6CUlEgLHbOvqcKRGr5irfywlpl7WpkjZu41os=; b=gxLmM2Tqkdf6T7anoql/R25PXykIotxC6XdnzztKkVvLwCMu9Byo/zAqJTTQpIH86c fTUzgzHYDQ878ndOdvYNRcYY1/FoqCyVWOGZx40aWXIGmbv5QzR3l8B4murM+X/k2LSz SSz5mK614/uTW8EY0q0uPY6W3tiFItY77kaxHbUkAGhPS+kUnzRwcyuiZqFqcVByMybr Dn8NfTA1yr9ZhQE+l6TXFq/HsY+5JIU5J8lxpT2pEA4YcwghZAVYQLOlHh78o2VHqfnC PNPErJeTqypW1YIxqZEgoVQHmFZPif+K9bkQHJT5pF9lR5eBMIkigoCWAKAHV5D6faaA IPGg==
X-Gm-Message-State: AOAM532RAFCO5YoDfYzfm69E1FgvbLV9zSwPS3ZyoEhJFfXG0vm+b9PJ 6kx8JU/LJ636EDmfJEXosW56vlX7NeJdxCbiz6KfH2CzYuohlg==
X-Google-Smtp-Source: ABdhPJxqa2uSOPC2OXEa9z3sqMKlgZukHIK+pUETtrTnLy7ZWUYA+VomB1A9e1aHJAX7nOsbaGMMpB2jFNhM37wzba4=
X-Received: by 2002:a05:6000:12d0:: with SMTP id l16mr53720041wrx.466.1641578374588; Fri, 07 Jan 2022 09:59:34 -0800 (PST)
MIME-Version: 1.0
References: <4a14c16b-644f-ac40-7b3a-a1712c9aa3d2@isode.com>
In-Reply-To: <4a14c16b-644f-ac40-7b3a-a1712c9aa3d2@isode.com>
From: Dave Cridland <dave@cridland.net>
Date: Fri, 07 Jan 2022 17:59:23 +0000
Message-ID: <CAKHUCzzdnPwqnjKSUgEHRVQ158REnmq7mxr4paAC3v5SkGDQeA@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Robbie Harwood <rharwood@redhat.com>
Content-Type: multipart/alternative; boundary="000000000000e37fea05d501bfea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/exCOv1KxdbfRhHnDBbG_VuJNUNY>
Subject: Re: [kitten] Requesting WG adoption of several SCRAM related documents
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jan 2022 17:59:42 -0000

Hi all,

The following is my position on adoption:

On Tue, 26 Oct 2021 at 11:43, Alexey Melnikov <alexey.melnikov@isode.com>
wrote:

> Dear Kitten WG participants,
>
> I would like to request WG adoption of several SCRAM related documents:
>
> 1) Extensions to Salted Challenge Response (SCRAM) for 2 factor
> authentication
> <https://datatracker.ietf.org/doc/draft-melnikov-scram-2fa/>
>
> There were some earlier discussions of this document and it seems to be
> in scope for the current charter.
>
>
I think this document should be adopted and worked on.

As I've said, I think there's better options long-term, but baking TOTP
into SCRAM seems like an effective method for - as lean afficionados would
say - getting signal. We can use it to explore the limitations of the
design, and if it proves useful in deployment, that's great.

Longer term, I'd like to look at something based around XEP-0388 and/or the
encapsulation of that into another SASL mechanism, but that will take more
time and effort to implement and can be influenced by the above.


> 2) SCRAM-SHA-512 and SCRAM-SHA-512-PLUS Simple Authentication and
> Security Layer (SASL) Mechanisms
> <https://datatracker.ietf.org/doc/draft-melnikov-scram-sha-512/>
>
> This is already implemented in Cyrus SASL, so it would be good to have
> stable documentation.
>
> 3) SCRAM-SHA3-512 and SCRAM-SHA3-512-PLUS Simple Authentication and
> Security Layer (SASL) Mechanisms
> <https://datatracker.ietf.org/doc/draft-melnikov-scram-sha3-512/>
>
>
These are straightforward adoptions for me. Yes, migration is indeed
frustrating, but unless we have adaptations to the SASL profiles to allow
for per-user mechanisms lists, or else bring back transition-needed and all
that that entails, we're stuck with that problem.

For reauthentication (as noted by Simon, as well as Alexey and I as a
significant problem) I'd note the existence of two SASL mechanisms which
may be useful to adopt and work on:

The Hashed Token SASL Mechanism (ietf.org)
<https://tools.ietf.org/id/draft-schmaus-kitten-sasl-ht-07.html> - The
Hashed Token SASL mechanism family uses a shared secret to provide
mutual authentication with channel binding, with the shared secret
provisioned by an application level exchange.

Client Key SASL mechanism (ietf.org)
<https://tools.ietf.org/id/draft-cridland-kitten-clientkey-00.html> -
CLIENTKEY, which was designed alongside my TOTP work, and contains both a
one-time token system (with mutual authentication, channel-binding, and
without password equivalents on the server - but with the need for a
coordinated counter).

Or, of course, we can design something new.

Best Regards,
>
> Alexey
>
> P.S. As I am editing various documents mentioned in this email, my
> co-chair Robbie will judge consensus on adoption of each document.
>
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten
>

v2.23.0 | Report a Bug | By Email