Re: [mile] Benjamin Kaduk's Discuss on draft-ietf-mile-xmpp-grid-09: (with DISCUSS and COMMENT)

Dave Cridland <> Thu, 24 January 2019 12:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6DF47130E9A for <>; Thu, 24 Jan 2019 04:43:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OsuD6bDyKzZD for <>; Thu, 24 Jan 2019 04:43:32 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DEB1F131106 for <>; Thu, 24 Jan 2019 04:43:29 -0800 (PST)
Received: by with SMTP id y11so4201037lfj.4 for <>; Thu, 24 Jan 2019 04:43:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5PTJMWDWqLB4kzFY8WbIk2WVRJ5seubgbneeG6dOkf0=; b=NuG8oU8CJTT9qlz4xzkdVptzlwAeZkxk8jUZS+xYA7tdvdcQE0NIMgA6gGpHFzBZa8 67z9omjvlvM56HT2rLar5J/hhia3nY/HyL+aE6XHg6mZ7X0TQYhludVp3xYkWPYMNv5i nJHNmW6OCUM7rJ1ybQhxwanaklYMmItN1qxwE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5PTJMWDWqLB4kzFY8WbIk2WVRJ5seubgbneeG6dOkf0=; b=TjbQAgJ01utgr7kHRzdM6GsrUtz7/hPCbQwwvvkpgzKbHUcOWqHWM6OJ1ouybCwVfB 4JAuuodoHhL61VDavxWPIP56gd0Bek4Em++JfzG1BeO2H3G99e2geyr8XiKoPXXszKUP L9nvzN9Dso5LsSsXQbTrXRXx6A83UpiG3WIYbdyFuB7If+jVsYLhfjQ1gFnAUUvnwC3O gF5fdNTrUy0vJqCNtMn9T65DU6vXrjjAK236dbG9O6wPxNXqVmE+JUoIHi3H+n+/E/gu /jE3g02oPCdjDSKuVtSG0hhaQ4PmaVFlJOCBl6MYGp+mt3dDtJQRvHCLpCE1SvmfHsxu Jxeg==
X-Gm-Message-State: AJcUukeqZFIJOZZ+qGSlbcT1Yfjgx3eqojaDdWFne4X11hfGCVMePwyw lYHSzgL6hg8ULYZw5BbMMFve0Xn2vxkTY4mJZhJpng==
X-Google-Smtp-Source: ALg8bN5fmzM7IJwHyp+LGLoZzrpgZm0n2NvyA9D6FdWUE6LYwE2G2SWUhQ2de1q04bMNGI4WqVmhHbYC0XNuE8heyM4=
X-Received: by 2002:a19:f20:: with SMTP id e32mr5063845lfi.51.1548333807960; Thu, 24 Jan 2019 04:43:27 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Dave Cridland <>
Date: Thu, 24 Jan 2019 12:43:17 +0000
Message-ID: <>
To: Alexey Melnikov <>
Cc: Benjamin Kaduk <>, The IESG <>,,,,
Content-Type: multipart/alternative; boundary="0000000000009e20660580338eb9"
Archived-At: <>
Subject: Re: [mile] Benjamin Kaduk's Discuss on draft-ietf-mile-xmpp-grid-09: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Jan 2019 12:43:34 -0000

On Thu, 24 Jan 2019 at 12:04, Alexey Melnikov <>;

> Hi Benjamin,
> > I also think this document does not adequately justify restricting to
> just
> > the EXTERNAL and SCRAM families of SASL mechanisms;
> I want to push back on this. The document is adding new requirement on top
> of what RFC 6120 requires, this is effectively new mandatory to implement
> SASL mechanisms for use XMPP with grids. Ideally this would be a single
> SASL mechanism, but I think one password based and one X.509 based is a
> good compromise here.
So I see Benjamin's point here. The document does introduce a new MTI SASL
mechanism cohort of EXTERNAL, SCRAM-SHA1, and SCRAM-SHA-256. This is fine,
but one has to wonder why we don't do this universally - I might try to
address this. (RFC 6120 has an MTI of SCRAM-SHA1, EXTERNAL, and PLAIN+TLS
for comparison).

But as Benjamin says, it also mandates their exclusive usage. From ยง8.3.1:

   completing the TLS handshake.  The XMPP-Grid Controller MUST
   authenticate the XMPP-Grid Platform either using the SASL EXTERNAL
   mechanism [RFC4422] or using the SASL SCRAM mechanism (with the
   SCRAM-SHA-256-PLUS variant being preferred over the SCRAM-SHA-256
   variant and SHA-256 variants [RFC7677] being preferred over SHA-1
   varients [RFC5802]).  XMPP-Grid Platforms and XMPP-Grid Controllers

(Also, typo in "varients").

There are, indeed, other SASL mechanisms which could be used to good effect
here - and indeed weaker ones that might be appropriate in some
circumstances. But, as written, the document prohibits these.