Re: [precis] I-D Action: draft-ietf-precis-7564bis-09.txt

Peter Saint-Andre <stpeter@stpeter.im> Thu, 14 September 2017 03:39 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: precis@ietfa.amsl.com
Delivered-To: precis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2141133085 for <precis@ietfa.amsl.com>; Wed, 13 Sep 2017 20:39:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=hMPJFG1K; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=XvlTZQ0f
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9oaZJrbg5pLz for <precis@ietfa.amsl.com>; Wed, 13 Sep 2017 20:39:02 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32A391330A5 for <precis@ietf.org>; Wed, 13 Sep 2017 20:38:59 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 9A6E920B4E; Wed, 13 Sep 2017 23:38:58 -0400 (EDT)
Received: from frontend1 ([10.202.2.160]) by compute2.internal (MEProxy); Wed, 13 Sep 2017 23:38:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=LSnFQlq3ngvQftRGx/mkCkuR85pLZ3a6srlchKxb4 9s=; b=hMPJFG1Kazx1v6052CpydyX4669zKrqI2dS3d/LrEX/Q7L/99rAcCK1YR pJL0jHCPU2EbabUzcwGkFXfg97hKenN85/fHtGpi5aDIMuVsy3LiUco7lsDLcxKb oUGSHtmSndTmjk/u17E9Y5lEpJsQtavAkXcNFYfVo88+AaSFCEC/JYxoJSb99LER gW0mGKLyj8hGjoDmO+28c4LZyJIYBgchTsLuvMWefR5TbhD4/0BhgWVq/FUNxjry kc/lSml4F9aXCUw1dr1D195pR38+aXezNwQUpCubUspB1ZCXeudJlne3mbqRnGV/ FVxrY8yCRUAYtzrdD9sjdAdZUJo8A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=LSnFQlq3ngvQftRGx/ mkCkuR85pLZ3a6srlchKxb49s=; b=XvlTZQ0f+/JV6a5oO4LYTZ70qJ72VwucBN hFjZnZOeOjNm9DViq50F2cvuCtA3/Di0w2LgkHwMDhkg+2z776coAGnddLKxDuyh i8JumWRYwfyYMzyeJnjIpzGO/Det+07ySzcsGjistCCAd58ui7l+8AIBoqzWGUnb if6XhWDE/vxRowFi+na7Pv9YlxWdirJjLPkqJOmCYGIBvW9dVXaHejXpqXXfC6yB ita0OgyiLtZicAMZRA6Acdv+UnxwmOGq7PO8SQN11gJpLRTvEIgBeMuHnG8DGcVg h0A+mGaPoIeAAOM+ckWxWMJjBle3WhrHL5ZkMas2dscDmap3MoNw==
X-ME-Sender: <xms:0vm5WTP46nfwmfkhilN9ffs8xNHnQwUVpWcIhD2fcF4G7fvElVrStg>
X-Sasl-enc: DuPLvWGGE0lvJbTPskkG+/4dQwFmsr15JF9i6d/IG9F8 1505360338
Received: from aither.local (unknown [76.25.3.152]) by mail.messagingengine.com (Postfix) with ESMTPA id 2125A7E22F; Wed, 13 Sep 2017 23:38:58 -0400 (EDT)
To: Sam Whited <sam@samwhited.com>
References: <150024725625.303.17137036571104960991@ietfa.amsl.com> <33f7468c-6742-7cbe-fa6f-70002c35cc62@stpeter.im> <CAHbk4RLa5AZp+sKUMoVOE2VsUmaDKGdWBqoTvurU_o=rj_OM0g@mail.gmail.com> <1504880015.1561911.1099626960.6CB0430C@webmail.messagingengine.com>
Cc: "precis@ietf.org" <precis@ietf.org>
From: Peter Saint-Andre <stpeter@stpeter.im>
Message-ID: <bd11bb2f-81a7-4081-ed49-15fa0fcb117c@stpeter.im>
Date: Wed, 13 Sep 2017 21:38:56 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <1504880015.1561911.1099626960.6CB0430C@webmail.messagingengine.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="E5Aclq1ljX0U09k96uMQLUTgREL1PMq2p"
Archived-At: <https://mailarchive.ietf.org/arch/msg/precis/GlfsEN0vLovB7Lpwqtgnkp3kjp8>
Subject: Re: [precis] I-D Action: draft-ietf-precis-7564bis-09.txt
X-BeenThere: precis@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Preparation and Comparison of Internationalized Strings <precis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/precis>, <mailto:precis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/precis/>
List-Post: <mailto:precis@ietf.org>
List-Help: <mailto:precis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/precis>, <mailto:precis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2017 03:39:04 -0000

On 9/8/17 8:13 AM, Sam Whited wrote:
> On Wed, Jul 19, 2017, at 23:44, Sam Whited wrote:
>> On Wed, Jul 19, 2017 at 8:40 PM, Peter Saint-Andre <stpeter@stpeter.im>
>> wrote:
>>> What do implementers think is a "reasonable number of iterations"? My
>>> sense is that we're talking about at most 4 or 5, and usually 2 or 3.
> 
> Apologies for the long delay, I know this thread is rather old now, but
> I was just reminded of this blog post [1] from Spotify that shows that
> the non-idempotency of the nickname profile is already a security issue
> in the wild and that documenting the fact that it may have security
> implications only goes so far.
> 
> —Sam
> 
> [1]: https://labs.spotify.com/2013/06/18/creative-usernames/
> 

The Spotify folks faced numerous issues, including the fact that they
implemented against an unfinished spec. I'd say that if they now used
the PRECIS specs (especially the new ones about to be published) as
their guideline, things would have gone much better.

Peter