Re: [precis] Secdir last call review of draft-ietf-precis-7613bis-07

Peter Saint-Andre <> Mon, 26 June 2017 17:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7DE1812EB23; Mon, 26 Jun 2017 10:40:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=bZcLCKc7; dkim=pass (2048-bit key) header.b=CcSscp/j
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xm6fGjvlM8pN; Mon, 26 Jun 2017 10:40:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7A7C112EB1C; Mon, 26 Jun 2017 10:40:11 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id C0550209CE; Mon, 26 Jun 2017 13:40:10 -0400 (EDT)
Received: from frontend1 ([]) by compute2.internal (MEProxy); Mon, 26 Jun 2017 13:40:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=vQIIuXe5RL6q2vFTsY PaX/mPzkv0XUl1x6nMryZ8xT8=; b=bZcLCKc7xbLeYzWWv9GPEtv2vXkB3JiDk5 KGzpY5fbk7x2N6Epl7g5xPAeAbHkvXCSuavi+EtrqD3fPlYaJBLNLSgakQ82zEFt d/b2UczV/JEBYysQJ69iM8cPv/ifltGV7WmEkVV2Xg2gyTRS1vavMrhQa3lnYm/y emA1ZrwYYTri0TkY+JLzdZZyIWBimssDR7Gl9BiX6sdWpkEZKC9Ohp5dtKxdWVu+ qWHGJPsEydToxluFez3UZ6fNDdqSflqkVkNx9R/xAyazHsjv9ZIP3i60SgUffxjB RlKPI356wkhx8ScG1nY2FmTlvKvGVmURIW2CLnek3Z+aPdzgy8DA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s= fm1; bh=vQIIuXe5RL6q2vFTsYPaX/mPzkv0XUl1x6nMryZ8xT8=; b=CcSscp/j AXtO09Tlzji5eypBWld9ee+0V8Tkd9EkMtxf6/LT4RW4l+sgHSa8+9RoFGu2g13n xmKwS6T2GFHrwta4k3VDskieWjKAIndNx3g3NpoG+o18UCM8my+YXELWyG5/Q9XA 6avhSfZ68eacX3wCXtU6VTYK0fCp4JKdcZTAimwFhlqqpJvhO42pPX1lsG1ZUO6+ famef+AGFW2+LqrQ5S62DD4bk6wWx5RGc432ow4rnPjEAIy9qDO0GTMfUSXrXMLt SDSaUKu2GhUuDAqZ6XTUlVkVRb5uF772pml5FkKsMxyg6/QW2MwTK3tagQ/dR2Fg R3DbTkHAI3m24A==
X-ME-Sender: <xms:-kZRWUkLtXxMnfTgI2cnIs3n0K2wmnLb0YeHv7SRC4Q7LqffMCSbsg>
X-Sasl-enc: 0xAl+sTZiWwGlOBv3TGYng8gKq6Gc1Cq0dD58WG0syVo 1498498810
Received: from aither.local ( []) by (Postfix) with ESMTPA id 10BC87E760; Mon, 26 Jun 2017 13:40:09 -0400 (EDT)
To: Joseph Salowey <>,
References: <>
From: Peter Saint-Andre <>
Message-ID: <>
Date: Mon, 26 Jun 2017 11:40:08 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [precis] Secdir last call review of draft-ietf-precis-7613bis-07
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Preparation and Comparison of Internationalized Strings <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Jun 2017 17:40:13 -0000

Hi Joe, thanks for the review. Comments inline.

On 6/25/17 11:50 PM, Joseph Salowey wrote:
> Reviewer: Joseph Salowey
> Review result: Has Nits
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> The summary of the review is document is ready with nits.
> This document is an update to RFC 7613.   A few Minor comments:
> 1.  I think it would be good to show the zero-length password is not allowed in
> table 4 (18 | <> | zero-length password).   There are lots of cases where
> allowing zero-length passwords has led to problems.  Disallowing zero-length
> passwords is helpful.

Good point - we'll add that.

> 2.  Comparisons of passwords is a touchy subject.   I can't think of a case
> where it would be preferable to do a direct password comparison.   In most
> cases the comparison will be done against a salted-hashed transform of the
> password or involve some other cryptographic operation.   I think it would be
> good to discuss this briefly in the security considerations section, sample
> text below
> "Password Comparison
> Verification of passwords during authentication will not use the comparison
> defined in section 4.2.3.   Instead cryptographic calculations are performed to
> verify the password.   In most cases the password will be prepared as in
> section 4.2.1 and meet the rules enforced in section 4.2.2 before the
> calculations are performed."

That's helpful - thanks for the suggested test. A forward pointer from
Section 4.2.3 also seems desirable.