Re: [kitten] AD review of draft-ietf-kitten-sasl-saml-ec-19

Simon Josefsson <simon@josefsson.org> Thu, 15 October 2020 19:12 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26A8C3A12E0; Thu, 15 Oct 2020 12:12:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b=VXTcEK3+; dkim=pass (2736-bit key) header.d=josefsson.org header.b=Jz9dWor1
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XZ4coPpLksY1; Thu, 15 Oct 2020 12:12:36 -0700 (PDT)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FE553A1268; Thu, 15 Oct 2020 12:12:35 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed20b09; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=mHNDIgHe4Vhn6QACVz5prFUrdzftaDvaMVkxk1fYJLI=; b=VXTcEK3+xT+Ojh5c6tQSMkK9L x2C4MD5uXgssts/ffAN4I/drNyYyo1LPE+IBdS3KfMPNrD7qCfqcNdAy2SQAA==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa20b09; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=mHNDIgHe4Vhn6QACVz5prFUrdzftaDvaMVkxk1fYJLI=; b=Jz9dWor1G8AtAdFOK0X+u97hn xv23TZiQAUgp7iZyLWLYcqrrfbEjemtK7tyckl0v+nuotRIUQvP6fUnXSG2nHQjceyIYY0YYZ7YIg WWwgUo3T6nbw/l+70zJC96oi+lfbFYbqXuSxASxBlnfWlUG/Pc2Ya06CHBLYpZ7ryyAz/Q7q2T/ni atxrCVAm7TonBgfLQ/bSSe0a/TJRaWcF00KlrQfFOt+LGm7iXn3nkeHfzJUAjPo2fQGKbSx/ik26E AVCsITonXFzZmfssB9qU3kNHCVwEhG3/vLSBOlMVopKolIwdE2KlQAqyUnzxK7riAWKOQeB7BzNaX 8hK+8l/4EX6n6WqhCZ7CoJgjtXCcJU+sTe6nUGTxbt+P3FICO5uaNd0kFsD4gY7Hdu3ePvZjTHkNK hFeRvIjdtm+0FQqZRfViNGlTurrqbBDww4DSd4lKrqtk79;
Received: from 31-208-42-58.cust.bredband2.com ([31.208.42.58]:52800 helo=latte) by uggla.sjd.se with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <simon@josefsson.org>) id 1kT8ft-0006pK-In; Thu, 15 Oct 2020 19:12:30 +0000
From: Simon Josefsson <simon@josefsson.org>
To: Robbie Harwood <rharwood@redhat.com>
Cc: "Cantor\, Scott" <cantor.2@osu.edu>, Benjamin Kaduk <kaduk@mit.edu>, "draft-ietf-kitten-sasl-saml-ec\@ietf.org" <draft-ietf-kitten-sasl-saml-ec@ietf.org>, "kitten\@ietf.org" <kitten@ietf.org>
References: <20200902230243.GH16914@kduck.mit.edu> <D5CD96B0-CC1C-4788-8479-EF77EB1B4263@osu.edu> <jlgr1r9xsnn.fsf@redhat.com>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:22:201015:draft-ietf-kitten-sasl-saml-ec@ietf.org::8rT/9EYYzLdzJ3ZD:1P+Z
X-Hashcash: 1:22:201015:kaduk@mit.edu::AC24aJ1rrW+KtS8o:0xxs
X-Hashcash: 1:22:201015:cantor.2@osu.edu::UG0zwsjtevAbWJRq:3pV6
X-Hashcash: 1:22:201015:kitten@ietf.org::1ehMWfx0AOXr8Kzs:4uf4
X-Hashcash: 1:22:201015:rharwood@redhat.com::/mqondCMyJF2F0yS:Dtu7
Date: Thu, 15 Oct 2020 21:12:28 +0200
In-Reply-To: <jlgr1r9xsnn.fsf@redhat.com> (Robbie Harwood's message of "Thu, 10 Sep 2020 16:50:52 -0400")
Message-ID: <87r1pzjobn.fsf@latte.josefsson.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
X-uggla-rspamd: ----- Score: -5.2 Action: no action Symbol: ARC_NA(0.00) Symbol: RCVD_VIA_SMTP_AUTH(0.00) Symbol: FROM_HAS_DN(0.00) Symbol: TO_MATCH_ENVRCPT_ALL(0.00) Symbol: MIME_GOOD(-0.20) Symbol: RCPT_COUNT_FIVE(0.00) Symbol: TO_DN_ALL(0.00) Symbol: NEURAL_HAM(-0.00) Symbol: RCVD_COUNT_ONE(0.00) Symbol: SIGNED_PGP(-2.00) Symbol: FROM_EQ_ENVFROM(0.00) Symbol: MIME_TRACE(0.00) Symbol: ASN(0.00) Symbol: RCVD_TLS_ALL(0.00) Symbol: BAYES_HAM(-3.00) Message-ID: 87r1pzjobn.fsf@latte.josefsson.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/sfaJAGAxHyIFAwyaPW84Z_zZJ90>
Subject: Re: [kitten] AD review of draft-ietf-kitten-sasl-saml-ec-19
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2020 19:12:39 -0000

Robbie Harwood <rharwood@redhat.com> writes:

> "Cantor, Scott" <cantor.2@osu.edu> writes:
>
>> While I appreciate the detailed review, mostly for my own educational
>> purposes, I simply don't have anything close to the cycles it would
>> take to redo the document to such a degree. Nobody is funding me to
>> work on it, and events have long since overtaken it.
>>
>> I was hoping that it was more or less close to workable, and it's a
>> vast improvement over the clearly-broken SAML and OAuth mechanisms
>> that got rubber-stamped a long while back. That mistake is frankly
>> what really motivated me at the time to work on it, but that was many
>> years ago now.
>
> Appreciate your frankness here.  With my shepherd hat on:
>
> Simon, do you think you have cycles to take this on?

Hi.  Apparently, I don't either.  I would appreciate help with it.

The reason for my lack of enthusiasm is my deployment experience with
the "rubber-stamped" SAML SASL mechanism.  I implemented it and it
worked fine.  Scott's SAML-EC approach would work even better and
provide better security and more features.  However neither provide
anything that is likely to work in the real world with IMAP, SMTP and
other common protocols: the problem is that client applications expect
to open up tens of sessions to the server, and that authentication has
to be quick and automatic for the user experience to work well.

There are many ideas on how to solve that problem, and I believe we have
discussed this before, but it is not realistic for me to find time to
work on that problem now, and until that work is ready, working on
SAML-EC has not felt worthwhile for me since it would have the same
usability issue.

/Simon