Re: [mile] Benjamin Kaduk's Discuss on draft-ietf-mile-xmpp-grid-09: (with DISCUSS and COMMENT)

Dave Cridland <dave@cridland.net> Thu, 24 January 2019 12:43 UTC

Return-Path: <dave@cridland.net>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DF47130E9A for <mile@ietfa.amsl.com>; Thu, 24 Jan 2019 04:43:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OsuD6bDyKzZD for <mile@ietfa.amsl.com>; Thu, 24 Jan 2019 04:43:32 -0800 (PST)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEB1F131106 for <mile@ietf.org>; Thu, 24 Jan 2019 04:43:29 -0800 (PST)
Received: by mail-lf1-x134.google.com with SMTP id y11so4201037lfj.4 for <mile@ietf.org>; Thu, 24 Jan 2019 04:43:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5PTJMWDWqLB4kzFY8WbIk2WVRJ5seubgbneeG6dOkf0=; b=NuG8oU8CJTT9qlz4xzkdVptzlwAeZkxk8jUZS+xYA7tdvdcQE0NIMgA6gGpHFzBZa8 67z9omjvlvM56HT2rLar5J/hhia3nY/HyL+aE6XHg6mZ7X0TQYhludVp3xYkWPYMNv5i nJHNmW6OCUM7rJ1ybQhxwanaklYMmItN1qxwE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5PTJMWDWqLB4kzFY8WbIk2WVRJ5seubgbneeG6dOkf0=; b=TjbQAgJ01utgr7kHRzdM6GsrUtz7/hPCbQwwvvkpgzKbHUcOWqHWM6OJ1ouybCwVfB 4JAuuodoHhL61VDavxWPIP56gd0Bek4Em++JfzG1BeO2H3G99e2geyr8XiKoPXXszKUP L9nvzN9Dso5LsSsXQbTrXRXx6A83UpiG3WIYbdyFuB7If+jVsYLhfjQ1gFnAUUvnwC3O gF5fdNTrUy0vJqCNtMn9T65DU6vXrjjAK236dbG9O6wPxNXqVmE+JUoIHi3H+n+/E/gu /jE3g02oPCdjDSKuVtSG0hhaQ4PmaVFlJOCBl6MYGp+mt3dDtJQRvHCLpCE1SvmfHsxu Jxeg==
X-Gm-Message-State: AJcUukeqZFIJOZZ+qGSlbcT1Yfjgx3eqojaDdWFne4X11hfGCVMePwyw lYHSzgL6hg8ULYZw5BbMMFve0Xn2vxkTY4mJZhJpng==
X-Google-Smtp-Source: ALg8bN5fmzM7IJwHyp+LGLoZzrpgZm0n2NvyA9D6FdWUE6LYwE2G2SWUhQ2de1q04bMNGI4WqVmhHbYC0XNuE8heyM4=
X-Received: by 2002:a19:f20:: with SMTP id e32mr5063845lfi.51.1548333807960; Thu, 24 Jan 2019 04:43:27 -0800 (PST)
MIME-Version: 1.0
References: <154830236119.7369.16213460588216390150.idtracker@ietfa.amsl.com> <1548331471.370290.1642501848.3FF05D24@webmail.messagingengine.com>
In-Reply-To: <1548331471.370290.1642501848.3FF05D24@webmail.messagingengine.com>
From: Dave Cridland <dave@cridland.net>
Date: Thu, 24 Jan 2019 12:43:17 +0000
Message-ID: <CAKHUCzybcNRjNCBhnAFAx_NJDW_72Fa3PW11Vx2Q_JMhyvA_7A@mail.gmail.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>
Cc: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>, mile@ietf.org, mile-chairs@tools.ietf.org, draft-ietf-mile-xmpp-grid@ietf.org, mile-chairs@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009e20660580338eb9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/jBwhFDBCzIuiCX35osKAhdq_IGc>
Subject: Re: [mile] Benjamin Kaduk's Discuss on draft-ietf-mile-xmpp-grid-09: (with DISCUSS and COMMENT)
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2019 12:43:34 -0000

On Thu, 24 Jan 2019 at 12:04, Alexey Melnikov <aamelnikov@fastmail.fm>;
wrote:

> Hi Benjamin,
> > I also think this document does not adequately justify restricting to
> just
> > the EXTERNAL and SCRAM families of SASL mechanisms;
>
> I want to push back on this. The document is adding new requirement on top
> of what RFC 6120 requires, this is effectively new mandatory to implement
> SASL mechanisms for use XMPP with grids. Ideally this would be a single
> SASL mechanism, but I think one password based and one X.509 based is a
> good compromise here.
>
>
So I see Benjamin's point here. The document does introduce a new MTI SASL
mechanism cohort of EXTERNAL, SCRAM-SHA1, and SCRAM-SHA-256. This is fine,
but one has to wonder why we don't do this universally - I might try to
address this. (RFC 6120 has an MTI of SCRAM-SHA1, EXTERNAL, and PLAIN+TLS
for comparison).

But as Benjamin says, it also mandates their exclusive usage. From ยง8.3.1:

   completing the TLS handshake.  The XMPP-Grid Controller MUST
   authenticate the XMPP-Grid Platform either using the SASL EXTERNAL
   mechanism [RFC4422] or using the SASL SCRAM mechanism (with the
   SCRAM-SHA-256-PLUS variant being preferred over the SCRAM-SHA-256
   variant and SHA-256 variants [RFC7677] being preferred over SHA-1
   varients [RFC5802]).  XMPP-Grid Platforms and XMPP-Grid Controllers

(Also, typo in "varients").

There are, indeed, other SASL mechanisms which could be used to good effect
here - and indeed weaker ones that might be appropriate in some
circumstances. But, as written, the document prohibits these.

Dave.