Re: [precis] Stephen Farrell's No Objection on draft-ietf-precis-saslprepbis-17: (with COMMENT)
Peter Saint-Andre - &yet <peter@andyet.net> Wed, 27 May 2015 15:44 UTC
Return-Path: <peter@andyet.net>
X-Original-To: precis@ietfa.amsl.com
Delivered-To: precis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24C611B2B81 for <precis@ietfa.amsl.com>; Wed, 27 May 2015 08:44:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WvWZuQRQeKnR for <precis@ietfa.amsl.com>; Wed, 27 May 2015 08:44:38 -0700 (PDT)
Received: from mail-ig0-f170.google.com (mail-ig0-f170.google.com [209.85.213.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 521CE1B2CD5 for <precis@ietf.org>; Wed, 27 May 2015 08:44:33 -0700 (PDT)
Received: by igbhj9 with SMTP id hj9so90549518igb.1 for <precis@ietf.org>; Wed, 27 May 2015 08:44:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=uWORLCwbAAZZj6usX6bYEUauOsXS7qaTUZEoUaXlGDc=; b=j6ma9TqvX8dYFnk4Han6PV6CSDHE5k3kOfvFFgYdDyycQuyW6fm/0TFnM34X8lNkUx DnVRFGQuS6MrbGA/Na9QRiFNvPC7IxjR8sgbLMY9VXsf4U7IQd8q9Ed+9dgRlc1zwMHP D5OD8nF1PDKuAFNH0RyyoxP6LuIJ+QQ6c2knw9vsGMsw4EWaZSWYZY9urRVN2TksTFe7 WeEPi0Q6aUgTJE1USK5N+kYtwpLikdtyus3TQ/cNPc0L2e88woMad5EUXV+qUBBKhKQK Nl4qarfG5NXbY5Mul0eeA2V6PFIZUQYbIc/F2zPOdqdAkXddCDJA3DHOtOx6x+ILYbsJ L4oQ==
X-Gm-Message-State: ALoCoQl0AGfVYsb/alYQnIbO8o2QKDCGGTXTBUOirCHVSObVWPx1MecZTSvJFpeXE/6nrhPsIlhe
X-Received: by 10.50.59.211 with SMTP id b19mr37338212igr.42.1432741472496; Wed, 27 May 2015 08:44:32 -0700 (PDT)
Received: from aither.local (c-73-34-202-214.hsd1.co.comcast.net. [73.34.202.214]) by mx.google.com with ESMTPSA id ot6sm2046713igb.11.2015.05.27.08.44.30 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 May 2015 08:44:31 -0700 (PDT)
Message-ID: <5565E65D.9030605@andyet.net>
Date: Wed, 27 May 2015 09:44:29 -0600
From: Peter Saint-Andre - &yet <peter@andyet.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
References: <20150527132109.25645.76593.idtracker@ietfa.amsl.com> <5565DB7E.6080508@andyet.net> <5565DEF5.6090405@cs.tcd.ie> <5565E295.1010505@andyet.net>
In-Reply-To: <5565E295.1010505@andyet.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/precis/1lfJrRl5L9ikmizG1sx7EvNRLI4>
Cc: draft-ietf-precis-saslprepbis@ietf.org, precis@ietf.org, draft-ietf-precis-saslprepbis.ad@ietf.org, precis-chairs@ietf.org, draft-ietf-precis-saslprepbis.shepherd@ietf.org
Subject: Re: [precis] Stephen Farrell's No Objection on draft-ietf-precis-saslprepbis-17: (with COMMENT)
X-BeenThere: precis@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Preparation and Comparison of Internationalized Strings <precis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/precis>, <mailto:precis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/precis/>
List-Post: <mailto:precis@ietf.org>
List-Help: <mailto:precis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/precis>, <mailto:precis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2015 15:44:40 -0000
On 5/27/15 9:28 AM, Peter Saint-Andre - &yet wrote:
> On 5/27/15 9:12 AM, Stephen Farrell wrote:
>>
>> On 27/05/15 15:58, Peter Saint-Andre - &yet wrote:
>>> On 5/27/15 7:21 AM, Stephen Farrell wrote:
>>>> Stephen Farrell has entered the following ballot position for
>>>> draft-ietf-precis-saslprepbis-17: No Objection
<snip/>
>>>> 4.1: zero length password - I think you're wrong on that
>>>> one but it is arguable. This was a discuss until you told
>>>> me that 4013 prohibited 'em too so probably no point
>>>> in changing now if it's just my opinion.
>>>>
>>>> There are situations where an empty password is ok (say
>>>> when I'm not "protecting" something but just want to know
>>>> what user's profile to use, e.g. for weather) and that is
>>>> supported in many systems (that hence won't be able to
>>>> exactly adopt this) and insisting on a non-empty password
>>>> could be more damaging than allowing a zero-length
>>>> password, whenever a user re-uses a password for something
>>>> for which no password is really needed (and which hence is
>>>> less likely to be well protected) and where that password
>>>> is also used to protect something of significantly higher
>>>> value. The zero-length password is also not an interesting
>>>> subset of the set of stupid passwords really so doesn't
>>>> deserve to be called out as such (and you say that in the
>>>> draft when you talk about length-1 passwords.) So I think
>>>> allowing zero length passwords is better overall, and more
>>>> consistent with implementations.
>>>
>>> I see your point. Do you have a sense of what kind of systems today
>>> allow zero-length passwords? Given that RFC 4013 prohibited zero-length
>>> passwords and that they provide no security whatsoever, I don't see a
>>> compelling reason to modify the recommendation. However, as you say this
>>> document doesn't provide general guidance on password strengthy anyway,
>>> so I suppose I'd be fine with changing it to SHOULD NOT as long as we
>>> provide some text about why zero-length passwords are acceptable in some
>>> existing systems.
>>
>> I think most operating systems either allow empty passwords
>> or else try insist on what they think is "strong" or else
>> give some strength feedback to the user. Many CLI tools allow
>> for empty passwords in case they're used in a script and
>> the same goes for passwords needed by servers that might
>> ever need to restart without a human. (And yes in most cases
>> such tools provide a way to input a password from e.g. a
>> file, but that's often no more secure than no password
>> given how filesystem access control works.)
>>
>> I'll leave it to you folks to decide if you think a SHOULD
>> NOT is ok or not, but I suspect you might want to check that
>> the WG are ok with that change from 4013.
>
> Most definitely.
>
>> I suppose an alternative might be to just note some of
>> the issues above and say that in a bunch of cases an
>> application will have to accept as input either <empty-string>
>> or <password>. I guess that's what's done now in any case
>> and I'd be fine with handling it that way too if you prefer.
>
> Ah, true. That seems preferable to me.
>
> Let's see if Alexey and I can formulate some text...
How's this? (I haven't checked it with Alexey yet but he can reply here.)
OLD
Note: The prohibition on zero-length passwords is not a
recommendation regarding password strength (since a password of
only one byte is highly insecure), but is meant to prevent
applications from omitting a password entirely.
NEW
Note: Some existing systems allow an empty string in places where
a password would be expected (e.g., command-line tools that might
be called from an automated script, or servers that might need to
be restarted without human intervention). From the perspective of
this document (and RFC 4013 before it), these empty strings are
not passwords but are workarounds for the practical difficulty of
using passwords in certain scenarios. The prohibition on zero-
length passwords is not a recommendation regarding password
strength (since a password of only one byte is highly insecure),
but is meant to prevent applications from mistakenly omitting a
password entirely, since when internationalized characters are
accepted a non-empty sequence of characters can result in a zero-
length password after canonicalization.
Peter
--
Peter Saint-Andre
https://andyet.com/
- [precis] Stephen Farrell's No Objection on draft-… Stephen Farrell
- Re: [precis] Stephen Farrell's No Objection on dr… Peter Saint-Andre - &yet
- Re: [precis] Stephen Farrell's No Objection on dr… Stephen Farrell
- Re: [precis] Stephen Farrell's No Objection on dr… Peter Saint-Andre - &yet
- Re: [precis] Stephen Farrell's No Objection on dr… Peter Saint-Andre - &yet
- Re: [precis] Stephen Farrell's No Objection on dr… Alexey Melnikov
- Re: [precis] Stephen Farrell's No Objection on dr… Stephen Farrell
- Re: [precis] Stephen Farrell's No Objection on dr… Peter Saint-Andre - &yet