[OPSAWG] Barry Leiba's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS)

Barry Leiba via Datatracker <noreply@ietf.org> Thu, 16 May 2019 05:10 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: opsawg@ietf.org
Delivered-To: opsawg@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E5C1512006D; Wed, 15 May 2019 22:10:29 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Barry Leiba via Datatracker <noreply@ietf.org>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-opsawg-tacacs@ietf.org, Joe Clarke <jclarke@cisco.com>, opsawg-chairs@ietf.org, opsawg-chairs@ietf.org, opsawg@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.96.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Barry Leiba <barryleiba@computer.org>
Message-ID: <155798342993.30658.12691604092353398933.idtracker@ietfa.amsl.com>
Date: Wed, 15 May 2019 22:10:29 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/jHMLDAzfwb6lXtl-VJdhrJ7WKhk>
Subject: [OPSAWG] Barry Leiba's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2019 05:10:30 -0000

Barry Leiba has entered the following ballot position for
draft-ietf-opsawg-tacacs-13: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


I support the DISCUSS ballots by Alexey and Roman, as well as the comments by
Deborah and Alissa that more text be in the introduction about the status and
limitations here.

I also need to add to Alexey’s DISCUSS on 4.6, Text Encoding:

   To ensure interoperability of current deployments, the TACACS+ client
   and server MUST handle user fields and those data fields used for
   passwords as 8-bit octet strings.  The deployment operator MUST
   ensure that consistent character encoding is applied from the end
  client to the server.

This is a mine field.  Treating passwords as raw octets without concern for
encoding and normalization can cause authentication failures and can be used to
attack systems where non-ASCII passwords are in use.

Suppose I enter “crème brûlée” as my password. How that’s represented in UTF-8
depends upon my input device, as there are at least two valid representations
of each accented vowel.  Without normalization/canonicalization, passwords
entered on different input devices might not match, blocking my access.  And we
haven’t touched on bidirectional issues (mixing, say, Hebrew and English

The precis framework has detailed explanations of how to deal with usernames
and passwords — see RFC 8265 (and, for the overall precis framework, RFC 8264).

   The encoding SHOULD be UTF-8, and other
   encodings outside printable US-ASCII SHOULD be deprecated.”

This doesn’t make sense with respect to how we use “deprecated”.  You need to
say “are deprecated”, meaning that we recommend against using them.  There’s no
BCP 14 “SHOULD” involved here.