Re: [mile] Benjamin Kaduk's Discuss on draft-ietf-mile-xmpp-grid-09: (with DISCUSS and COMMENT)

Alexey Melnikov <> Thu, 24 January 2019 13:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CC9C6131131; Thu, 24 Jan 2019 05:05:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=R6crbnQ8; dkim=pass (2048-bit key) header.b=yCo71dBh
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nCLm_gbtUf1B; Thu, 24 Jan 2019 05:04:54 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4AE7F130E5B; Thu, 24 Jan 2019 05:04:54 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id E52B8233C6; Thu, 24 Jan 2019 08:04:52 -0500 (EST)
Received: from web5 ([]) by compute7.internal (MEProxy); Thu, 24 Jan 2019 08:04:52 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h= message-id:from:to:cc:mime-version:content-transfer-encoding :content-type:subject:in-reply-to:date:references; s=fm2; bh=e1B r/Opb0GwhWrdZqs2u0KVE2OPscxgnufRJ7aUlFIo=; b=R6crbnQ8QtYKMIlUsYH FzpIoClJL2RaPpgfw367uW2Tmeibuz/8QMLsrQRPsWhzRcX9JZhsqOYxM1RgyULG ZkhUmDoiiY6DHseM7yldJQIUDi24iv+pfAY4rFIsdRowPDI3qV40rK+sRBu0B1WW s2v6esy3UdzEzHmGZkcXY4MMMp6Cp2fi6du+eqBLlIVoOQ5S3jiGAOSya0TjrccP L++E9i+NmrcL4NrkcVN1/DkadDMpT01aOJ4of3OPqQmBfWjxI2HOArBplCHMQQ4+ zN2jyVOAigYW61RWx0tw9dLStiM9PmMySXWMZZHEuEbH6GuwVMyZWiW1PZwr+Baz iFg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=e1Br/Opb0GwhWrdZqs2u0KVE2OPscxgnufRJ7aUlF Io=; b=yCo71dBhCBZhcO8tyXYxmW9cUF9ObPcUXud2UJEdkaYkMGT001qChhQqj I9bJE9Jf/YSXMtKO8NP8/4SQpVEgu6MoZi3d8s6ylVCRcX62zXJ0+XJ4K+O+Pl0X 6/M4lV1uX2ayZ3VA0wco+qfoLZP3/8VqEddYG6XvV6JJS93EeKk+davsqv0kC+IP xVrq26VBUv0WSG2bE7wwcKZZ87cGd4L+ID+4Wjwiavx6PPPph3vGKi0M/tFQ66/n b5OWwvqwJF1Et6RkV5hCqySsaIChtPxP6geyfUmcvysAmbVePP+cg5Zb4sgnQbt5 IwhAB99w7n1UM9djp1vjdp9GcfoeQ==
X-ME-Sender: <xms:9LdJXFtCw1Q1xiCgQczzbd4wf8sviVFKm5lGUOuNHvfPbGBDFRLUfQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledriedvgdegkecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthenuceurghilhhouhhtmecufedt tdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepkffhvfgggfgtof fujgfffhesrgejreerredtjeenucfhrhhomheptehlvgigvgihucfovghlnhhikhhovhcu oegrrghmvghlnhhikhhovhesfhgrshhtmhgrihhlrdhfmheqnecurfgrrhgrmhepmhgrih hlfhhrohhmpegrrghmvghlnhhikhhovhesfhgrshhtmhgrihhlrdhfmhenucevlhhushht vghrufhiiigvpedt
X-ME-Proxy: <xmx:9LdJXD8iROVX3Jk37QXUxRGh375wn50EGYE2_sAfgGyskGud63iDkQ> <xmx:9LdJXBHG9Wq4aFkTl085Q2jFXXrJLiggUf18WMGrpwzMjqwLjadd0g> <xmx:9LdJXKRa-0tRHKEhLKA-slar8dUhXLdl15p_jbOhVSw7qiRedU6nCg> <xmx:9LdJXHONH446qRA-k7m3mxWg29jjLT7qks92LSkP9lCH0Tm_H9g8Sg>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id EAEDC9E123; Thu, 24 Jan 2019 08:04:51 -0500 (EST)
Message-Id: <>
From: Alexey Melnikov <>
To: Dave Cridland <>
Cc: Benjamin Kaduk <>, The IESG <>,,,,
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_15483350913846840"
X-Mailer: Webmail Interface - ajax-36e4bfd3
In-Reply-To: <>
Date: Thu, 24 Jan 2019 13:04:51 +0000
References: <> <> <>
Archived-At: <>
Subject: Re: [mile] Benjamin Kaduk's Discuss on draft-ietf-mile-xmpp-grid-09: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Jan 2019 13:05:02 -0000

Hi Dave,

On Thu, Jan 24, 2019, at 12:43 PM, Dave Cridland wrote:
> On Thu, 24 Jan 2019 at 12:04, Alexey Melnikov
> <>; wrote:>> Hi Benjamin,
>> > I also think this document does not adequately justify restricting
>> > to just>>  > the EXTERNAL and SCRAM families of SASL mechanisms;
>>  I want to push back on this. The document is adding new requirement
>>  on top of what RFC 6120 requires, this is effectively new mandatory
>>  to implement SASL mechanisms for use XMPP with grids. Ideally this
>>  would be a single SASL mechanism, but I think one password based and
>>  one X.509 based is a good compromise here.>> 
> So I see Benjamin's point here. The document does introduce a new MTI
> SASL mechanism cohort of EXTERNAL, SCRAM-SHA1, and SCRAM-SHA-256. This
> is fine, but one has to wonder why we don't do this universallyI think any effort to update RFC 6120 needs to proceed independently: it
can't hold this document hostage.
> - I might try to address this. (RFC 6120 has an MTI of SCRAM-SHA1,
>   EXTERNAL, and PLAIN+TLS for comparison).> 
> But as Benjamin says, it also mandates their exclusive usage.
> From ยง8.3.1:> 
>    completing the TLS handshake.  The XMPP-Grid Controller MUST
>    authenticate the XMPP-Grid Platform either using the SASL EXTERNAL>    mechanism [RFC4422] or using the SASL SCRAM mechanism (with the
>    SCRAM-SHA-256-PLUS variant being preferred over the SCRAM-SHA-256
>    variant and SHA-256 variants [RFC7677] being preferred over SHA-1
>    varients [RFC5802]).  XMPP-Grid Platforms and XMPP-Grid Controllers> 
> (Also, typo in "varients").
> There are, indeed, other SASL mechanisms which could be used to good
> effect here - and indeed weaker ones that might be appropriate in some
> circumstances. But, as written, the document prohibits these.
I suspect prohibition of others is not intentional. So what is the best
way of addressing this? Change the MUST to the SHOULD and possibly
change "MUST authenticate" to "SHOULD support"?
Best Regards,