IETF Logo Mail Archive

Re: [precis] Stephen Farrell's No Objection on draft-ietf-precis-saslprepbis-17: (with COMMENT)

Peter Saint-Andre - &yet <peter@andyet.net> Wed, 27 May 2015 14:58 UTC

Return-Path: <peter@andyet.net>
X-Original-To: precis@ietfa.amsl.com
Delivered-To: precis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBCD71B2C41 for <precis@ietfa.amsl.com>; Wed, 27 May 2015 07:58:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HPp5nN5N86h1 for <precis@ietfa.amsl.com>; Wed, 27 May 2015 07:58:14 -0700 (PDT)
Received: from mail-ie0-f171.google.com (mail-ie0-f171.google.com [209.85.223.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A5901B2BB4 for <precis@ietf.org>; Wed, 27 May 2015 07:58:10 -0700 (PDT)
Received: by iepj10 with SMTP id j10so15434326iep.3 for <precis@ietf.org>; Wed, 27 May 2015 07:58:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=2srT0kRMgEwfl6tvPtq3O3nyH0i2eX78RGz/ltaEgUM=; b=F/GIvkSj3ZZCOfFa2nigyp2UWq1ZuWdGblwJhJ9i2bNcgBw+w97jJS8NR/HBCPpmz9 39TKTcu38wtIThjkGhLAUMMo80VM0ZobCy8dvQPBhCW6JjGDutPxNikcqfCcGrGD1QzR npMDOI4Y8Amy5PWVRhXsSoPxJvLVSszuCa9giHs/nxrNUpVbAv3d9IR59DsPCSh2l9Xx yX/eGt4DhKQErMPANr/QVhy8dJYbrlGJw4MNI/9F/5Hx+xwnqn2BtYff/bGYdtf23hJX UCGj13RXKvRLmZ9gUJUBub/cqCWR3qLOnAiwbKPMzI10J9Y1wCNxdV2JjfT3gUXbf/Xa 5p3A==
X-Gm-Message-State: ALoCoQkjNS13C2LYlM1rq97Jysj3cfWqLOQ3iq3OCIlJ1HQtdC0tkd8lDty/AspQYz2fPQ0BYhqA
X-Received: by 10.50.49.46 with SMTP id r14mr36321564ign.45.1432738689790; Wed, 27 May 2015 07:58:09 -0700 (PDT)
Received: from aither.local (c-73-34-202-214.hsd1.co.comcast.net. [73.34.202.214]) by mx.google.com with ESMTPSA id j3sm1942973igx.21.2015.05.27.07.58.07 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 May 2015 07:58:08 -0700 (PDT)
Message-ID: <5565DB7E.6080508@andyet.net>
Date: Wed, 27 May 2015 08:58:06 -0600
From: Peter Saint-Andre - &yet <peter@andyet.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
References: <20150527132109.25645.76593.idtracker@ietfa.amsl.com>
In-Reply-To: <20150527132109.25645.76593.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/precis/06UXlc8BT60rl3G4rc9y9N1ZLZU>
Cc: draft-ietf-precis-saslprepbis@ietf.org, precis@ietf.org, draft-ietf-precis-saslprepbis.ad@ietf.org, precis-chairs@ietf.org, draft-ietf-precis-saslprepbis.shepherd@ietf.org
Subject: Re: [precis] Stephen Farrell's No Objection on draft-ietf-precis-saslprepbis-17: (with COMMENT)
X-BeenThere: precis@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Preparation and Comparison of Internationalized Strings <precis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/precis>, <mailto:precis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/precis/>
List-Post: <mailto:precis@ietf.org>
List-Help: <mailto:precis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/precis>, <mailto:precis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2015 14:58:18 -0000

On 5/27/15 7:21 AM, Stephen Farrell wrote:
> Stephen Farrell has entered the following ballot position for
> draft-ietf-precis-saslprepbis-17: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-precis-saslprepbis/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
>
> - Unsurprisingly, the diff between this and RFC4013 isn't
> useful, so I read from scratch. If I'm commenting on
> something that was already true of 4013, just tell me and
> that'll be fine.

Truly, the diff is so large that it's more sensible to read this 
document anew.

> - intro: given the unsolved i18n issues and the fact that
> passwords are crap (security wise) would it be fair to ask
> that you add a sentence here to encourage folks to not use
> passwords at all but some better form of authentication,
> when that's possible? (Which is sadly not nearly common
> enough for user authentication.) Maybe something like:
>
> "While this document specifies how to handle passwords
> to the best of our current abilities, those designing and
> implementing protocols would be much better off if they
> can avoid any use of passwords. Using passwords means
> having to deal with the inherent insecurity of passwords,
> and of password verifier databases, and also the i18n
> issues described here. Authentication schemes based on
> digital signatures or other cryptographic mechanisms
> are, where usable, far preferable."

Is it really the place of this document to discourage the use of 
passwords? I'm all in favor of the sentiment, but it seems to me that a 
BCP on the topic would have a lot more force and could claim IETF consensus.

> - nitty nit: intro, 2nd last para on p3: once a password is
> chosen, there are no more entropy changes so you cannot
> maximise entropy *during* authentication. Maybe
> s/during/for/ works though.

+1

> - 3.2.2, bullet 3: I read this as saying to use the latest
> Unicode default case folding and not to stick with v7.0
> even if a new and in this sense different version is
> published. This is just to check that that is what you
> intended and that I've not misread the text.

We might do this:

OLD
        (at the time of this writing, the algorithm is specified in
        Chapter 3 of [Unicode7.0])

NEW
        (at the time of this writing, the algorithm is specified in
        Chapter 3 of [Unicode7.0], but the chapter number might change
        in a future version of the Unicode Standard)

The idea behind including the Unicode7.0 reference was to enable the 
reader to quickly find the relevant discussion as of today, but we know 
that the exact pointer might change.

> 4.1: zero length password - I think you're wrong on that
> one but it is arguable. This was a discuss until you told
> me that 4013 prohibited 'em too so probably no point
> in changing now if it's just my opinion.
>
> There are situations where an empty password is ok (say
> when I'm not "protecting" something but just want to know
> what user's profile to use, e.g. for weather) and that is
> supported in many systems (that hence won't be able to
> exactly adopt this) and insisting on a non-empty password
> could be more damaging than allowing a zero-length
> password, whenever a user re-uses a password for something
> for which no password is really needed (and which hence is
> less likely to be well protected) and where that password
> is also used to protect something of significantly higher
> value. The zero-length password is also not an interesting
> subset of the set of stupid passwords really so doesn't
> deserve to be called out as such (and you say that in the
> draft when you talk about length-1 passwords.) So I think
> allowing zero length passwords is better overall, and more
> consistent with implementations.

I see your point. Do you have a sense of what kind of systems today 
allow zero-length passwords? Given that RFC 4013 prohibited zero-length 
passwords and that they provide no security whatsoever, I don't see a 
compelling reason to modify the recommendation. However, as you say this 
document doesn't provide general guidance on password strengthy anyway, 
so I suppose I'd be fine with changing it to SHOULD NOT as long as we 
provide some text about why zero-length passwords are acceptable in some 
existing systems.

Peter

-- 
Peter Saint-Andre
https://andyet.com/

v2.23.0 | Report a Bug | By Email