IETF Logo Mail Archive

Re: [kitten] The Hashed-Token SASL Mechanism (SASL-HT)

Sam Whited <sam@samwhited.com> Tue, 17 October 2017 17:01 UTC

Return-Path: <sam@samwhited.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED55C133063 for <kitten@ietfa.amsl.com>; Tue, 17 Oct 2017 10:01:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=samwhited.com header.b=GLN+TqV+; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=HIwMPiFT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kVPFHDxCA6xB for <kitten@ietfa.amsl.com>; Tue, 17 Oct 2017 10:01:27 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1991133020 for <kitten@ietf.org>; Tue, 17 Oct 2017 10:01:26 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 33AE020AF9; Tue, 17 Oct 2017 13:01:26 -0400 (EDT)
Received: from web5 ([10.202.2.215]) by compute4.internal (MEProxy); Tue, 17 Oct 2017 13:01:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samwhited.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=0ljX63DgOivs23G3D+1gFJikzKmgy Q/UGPBKfjKloJw=; b=GLN+TqV+9lAIXQ5gE+CwZB6Klg7gjPUVDlm8nbasdWzCI yHf183LR7TjaXhPRMP9HiXmBENWhspj7SBbbNZwGuNYF+2D/a3my0JdUbbKYlKLL z+dM8bFpZWsurUdcOjZJ1ls4g6eJCi5aAjVilHTgrd8L6A5qAsBIFmtko7VyEUag rq++pF/na962eTdvNGFgqHqsNEo5zKZ6MDN9XrLa6Gd4i93KEKRTmfSagM2N0m94 OPVqM3nmAUaIVS75wym4P/QoknGcyaj9qMYkT6GvE0/Ubvm3/hyR4ipHF6ZrkXhv M9j83n94SjnsubMcxkt1EnRD5wl9R+v/AV0AOwm8A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=0ljX63 DgOivs23G3D+1gFJikzKmgyQ/UGPBKfjKloJw=; b=HIwMPiFTPRK5PdvqI8rNKJ YJfw0FMAivFtceeHeeI0NapPZ4yg0b2ML7UcYQRX0dbCVPdnu3TR+CNW9jfopgZb ZK7NnN09TqWiuKKQYVUecuhibmzh7f222GYZa9LOO2GFwyBLu+O7Lpe03i5pwe3L GEHfvZqBL4M9z5nH+94p8WFrt8ljRXR5hjMZTd7XH8+3dlTa8HZKyCwql60cUAWb 9vaFSZPjHJrNl4UJtN1zKPyvnQq9YbhZzaEWauqP0Iy+iRWBFA2RcCGvoGk7tOev ficoIjEawJqNAX6kv9aPmW4rFrdYlA1aXx22W1nBvrlac5f56vh3wdAbjhkaqh0g ==
X-ME-Sender: <xms:ZjfmWSHPycKJ0FWKtJfzcYXdzLDCTq8y4z4y1Fqbe6epTTc57FQn4Q>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 027CA9E2F3; Tue, 17 Oct 2017 13:01:25 -0400 (EDT)
Message-Id: <1508259685.3569865.1141885272.34280EA0@webmail.messagingengine.com>
From: Sam Whited <sam@samwhited.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>, kitten@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-26fdae60
References: <9913d71b-ae22-cc48-34b8-fb29fdf9a00c@geekplace.eu> <1508249331.3526135.1141665400.36944376@webmail.messagingengine.com> <7425e2f8-89a4-8a2d-8957-b640b8d97883@isode.com>
In-Reply-To: <7425e2f8-89a4-8a2d-8957-b640b8d97883@isode.com>
Date: Tue, 17 Oct 2017 12:01:25 -0500
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/qtOvhtoTCIq9orR_L6MUJmpLwIg>
Subject: Re: [kitten] The Hashed-Token SASL Mechanism (SASL-HT)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Oct 2017 17:01:28 -0000

On Tue, Oct 17, 2017, at 11:57, Alexey Melnikov wrote:
> Normalization to disallow problematic characters is a good thing, so I 
> think a SHOULD level requirement is appropriate. But I am not sure that 
> case-mapped version of UserName profile is the right thing here.

I agree, I just don't think this needs to be part of the authentication
framework. It should already be handled by the application level
protocol. Ex. RFC 7622 already defines how XMPP normalizes usernames, so
why should this mandate that we run that step again?

Also, what if a system wants to use UsernameCasePreserved but this
mechanism uses UsernameCaseMapped (or visa versa), the SASL mechanism
would be breaking that profile. Even if we change to username case
preserved (which I think is more correct than case mapped in this case,
FWIW) what if the application using this profile specifically allows
characters in usernames that aren't allowed by the identifier class of
PRECIS? We shouldn't be making that decision for people.

—Sam

v2.23.0 | Report a Bug | By Email