[precis] Stephen Farrell's No Objection on draft-ietf-precis-saslprepbis-17: (with COMMENT)

"Stephen Farrell" <stephen.farrell@cs.tcd.ie> Wed, 27 May 2015 13:21 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: precis@ietfa.amsl.com
Delivered-To: precis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A17C81AD080; Wed, 27 May 2015 06:21:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8gJC3-j9-K3P; Wed, 27 May 2015 06:21:10 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id EAFB51AD06D; Wed, 27 May 2015 06:21:09 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150527132109.25645.76593.idtracker@ietfa.amsl.com>
Date: Wed, 27 May 2015 06:21:09 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/precis/A4fFGfgVbBmQaEotuFXFl_K-VQ8>
Cc: draft-ietf-precis-saslprepbis@ietf.org, precis@ietf.org, draft-ietf-precis-saslprepbis.ad@ietf.org, precis-chairs@ietf.org, draft-ietf-precis-saslprepbis.shepherd@ietf.org
Subject: [precis] Stephen Farrell's No Objection on draft-ietf-precis-saslprepbis-17: (with COMMENT)
X-BeenThere: precis@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Preparation and Comparison of Internationalized Strings <precis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/precis>, <mailto:precis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/precis/>
List-Post: <mailto:precis@ietf.org>
List-Help: <mailto:precis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/precis>, <mailto:precis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2015 13:21:11 -0000

Stephen Farrell has entered the following ballot position for
draft-ietf-precis-saslprepbis-17: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-precis-saslprepbis/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------


- Unsurprisingly, the diff between this and RFC4013 isn't
useful, so I read from scratch. If I'm commenting on
something that was already true of 4013, just tell me and
that'll be fine.

- intro: given the unsolved i18n issues and the fact that
passwords are crap (security wise) would it be fair to ask
that you add a sentence here to encourage folks to not use
passwords at all but some better form of authentication,
when that's possible? (Which is sadly not nearly common
enough for user authentication.) Maybe something like:

"While this document specifies how to handle passwords 
to the best of our current abilities, those designing and
implementing protocols would be much better off if they
can avoid any use of passwords. Using passwords means
having to deal with the inherent insecurity of passwords,
and of password verifier databases, and also the i18n
issues described here. Authentication schemes based on
digital signatures or other cryptographic mechanisms 
are, where usable, far preferable."

- nitty nit: intro, 2nd last para on p3: once a password is
chosen, there are no more entropy changes so you cannot
maximise entropy *during* authentication. Maybe
s/during/for/ works though.

- 3.2.2, bullet 3: I read this as saying to use the latest
Unicode default case folding and not to stick with v7.0
even if a new and in this sense different version is
published. This is just to check that that is what you
intended and that I've not misread the text.

4.1: zero length password - I think you're wrong on that
one but it is arguable. This was a discuss until you told
me that 4013 prohibited 'em too so probably no point
in changing now if it's just my opinion.

There are situations where an empty password is ok (say
when I'm not "protecting" something but just want to know
what user's profile to use, e.g. for weather) and that is
supported in many systems (that hence won't be able to
exactly adopt this) and insisting on a non-empty password
could be more damaging than allowing a zero-length
password, whenever a user re-uses a password for something
for which no password is really needed (and which hence is
less likely to be well protected) and where that password
is also used to protect something of significantly higher
value. The zero-length password is also not an interesting
subset of the set of stupid passwords really so doesn't
deserve to be called out as such (and you say that in the
draft when you talk about length-1 passwords.) So I think
allowing zero length passwords is better overall, and more
consistent with implementations.