Re: [precis] Stephen Farrell's Discuss on draft-ietf-precis-saslprepbis-17: (with DISCUSS and COMMENT)

Simon Josefsson <simon@josefsson.org> Fri, 29 May 2015 20:19 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: precis@ietfa.amsl.com
Delivered-To: precis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 260821A8770; Fri, 29 May 2015 13:19:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pZPqD30iS2G1; Fri, 29 May 2015 13:19:57 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 098951A8757; Fri, 29 May 2015 13:19:56 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.3]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t4TKJoLq008839 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Fri, 29 May 2015 22:19:51 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <20150527125619.24017.77007.idtracker@ietfa.amsl.com> <5565C153.1030708@isode.com> <5565C31C.3020309@cs.tcd.ie>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:150529:precis@ietf.org::rbJ3baB6aGm+JxhN:1hm/
X-Hashcash: 1:22:150529:draft-ietf-precis-saslprepbis@ietf.org::+1QRru2tkRAlKBA9:2mwT
X-Hashcash: 1:22:150529:draft-ietf-precis-saslprepbis.ad@ietf.org::PO5FezJsok25CPK1:2i+W
X-Hashcash: 1:22:150529:iesg@ietf.org::ojmsdMNL2zstJA/2:76Yg
X-Hashcash: 1:22:150529:draft-ietf-precis-saslprepbis.shepherd@ietf.org::FHrVt0IzOLaGShN1:A2DI
X-Hashcash: 1:22:150529:stephen.farrell@cs.tcd.ie::5XJGzgpjSyp6lCKk:AI/P
X-Hashcash: 1:22:150529:precis-chairs@ietf.org::JCJWB6DMCYGHAWB4:DdjS
X-Hashcash: 1:22:150529:alexey.melnikov@isode.com::3mVokO+ICyaMgG/6:Si/k
Date: Fri, 29 May 2015 22:19:49 +0200
In-Reply-To: <5565C31C.3020309@cs.tcd.ie> (Stephen Farrell's message of "Wed, 27 May 2015 14:14:04 +0100")
Message-ID: <87h9qvxhju.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/precis/MPCqeBmSFbHJkPx4Jd6tAlP8ScQ>
Cc: draft-ietf-precis-saslprepbis@ietf.org, precis@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-precis-saslprepbis.ad@ietf.org, precis-chairs@ietf.org, draft-ietf-precis-saslprepbis.shepherd@ietf.org
Subject: Re: [precis] Stephen Farrell's Discuss on draft-ietf-precis-saslprepbis-17: (with DISCUSS and COMMENT)
X-BeenThere: precis@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Preparation and Comparison of Internationalized Strings <precis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/precis>, <mailto:precis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/precis/>
List-Post: <mailto:precis@ietf.org>
List-Help: <mailto:precis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/precis>, <mailto:precis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2015 20:19:58 -0000

Stephen Farrell <stephen.farrell@cs.tcd.ie> writes:

> Hiya,
>
> On 27/05/15 14:06, Alexey Melnikov wrote:
>> Hi Stephen,
>> 
>> On 27/05/2015 13:56, Stephen Farrell wrote:
>>  [...]
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>>
>>>
>>> 4.1: zero length password - I think you're wrong on that
>>> one but it is arguable. If RFC4013 also prohibited zero
>>> length passwords (I couldn't tell at a quick glance)
>> Yes, zero length password was always prohibited by RFC 4013. If you look
>> at various RFCs that reference SASLPrep, they say "if the password is
>> invalid or zero length after applying SASLPrep normalization, then
>> reject it" (or similar words).
>
> That wins. I'll clear the discuss and make this a comment.

I question if this is correct -- my SASLprep implementation accepts zero
length passwords.  Where in RFC 4013 is the requirement to reject them?

I think Stephen's thoughts around empty passwords makes a lot of sense.
Empty passwords are used in many places, for good or bad.

I'm certain that not all RFCs that refer to SASLprep has the wording
above.  RFC 5802 (SCRAM) doesn't, as far as I can tell, for example.

/Simon