IETF Logo Mail Archive

Re: [precis] Stephen Farrell's Discuss on draft-ietf-precis-saslprepbis-17: (with DISCUSS and COMMENT)

Alexey Melnikov <alexey.melnikov@isode.com> Wed, 27 May 2015 13:06 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: precis@ietfa.amsl.com
Delivered-To: precis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BE5C1A88F0; Wed, 27 May 2015 06:06:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yDME4X1F0G2I; Wed, 27 May 2015 06:06:51 -0700 (PDT)
Received: from waldorf.isode.com (waldorf.isode.com [217.34.220.150]) by ietfa.amsl.com (Postfix) with ESMTP id B261A1A88E9; Wed, 27 May 2015 06:06:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1432732004; d=isode.com; s=selector; i=@isode.com; bh=JbkBQsojO2NvnXFbXY3gCCA4Jbuc3EbWjuVmswLkZZM=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=l9zWs26oOtG4UssdtTpy7RR2ZIulpI52JZNkLga0eJhic+5wcAjF/XS6M4BoJAoUU9AGba t4B86mb8tGZayqWGRmWPfVohe5xmBknaAHMSs6kQZeQpFACFtWStgNLh/n/U+Ic3C3EvFR V3xcyjCCwqpKtGH6DdgYIShR6/jcn8w=;
Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <VWXBZAAZWxkj@waldorf.isode.com>; Wed, 27 May 2015 14:06:44 +0100
Message-ID: <5565C153.1030708@isode.com>
Date: Wed, 27 May 2015 14:06:27 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
References: <20150527125619.24017.77007.idtracker@ietfa.amsl.com>
In-Reply-To: <20150527125619.24017.77007.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/precis/O87lmbnmHuDRMQvpfDRdltagXxc>
Cc: draft-ietf-precis-saslprepbis@ietf.org, precis@ietf.org, draft-ietf-precis-saslprepbis.ad@ietf.org, precis-chairs@ietf.org, draft-ietf-precis-saslprepbis.shepherd@ietf.org
Subject: Re: [precis] Stephen Farrell's Discuss on draft-ietf-precis-saslprepbis-17: (with DISCUSS and COMMENT)
X-BeenThere: precis@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Preparation and Comparison of Internationalized Strings <precis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/precis>, <mailto:precis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/precis/>
List-Post: <mailto:precis@ietf.org>
List-Help: <mailto:precis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/precis>, <mailto:precis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2015 13:06:53 -0000

Hi Stephen,

On 27/05/2015 13:56, Stephen Farrell wrote:
  [...]
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
>
> 4.1: zero length password - I think you're wrong on that
> one but it is arguable. If RFC4013 also prohibited zero
> length passwords (I couldn't tell at a quick glance)
Yes, zero length password was always prohibited by RFC 4013. If you look 
at various RFCs that reference SASLPrep, they say "if the password is 
invalid or zero length after applying SASLPrep normalization, then 
reject it" (or similar words).
> or if
> the WG did debate this and having done so decided to
> prohibit zero length passwords then I will clear the
> discuss immediately. But if not, I'd like to chat about
> it...
>
> There are situations where an empty password is ok (say
> when I'm not "protecting" something but just want to know
> what user's profile to use, e.g. for weather) and that is
> supported in many systems (that hence won't be able to
> exactly adopt this) and insisting on a non-empty password
> could be more damaging than allowing a zero-length
> password, whenever a user re-uses a password for something
> for which no password is really needed (and which hence is
> less likely to be well protected) and where that password
> is also used to protect something of significantly higher
> value. The zero-length password is also not an interesting
> subset of the set of stupid passwords really so doesn't
> deserve to be called out as such (and you say that in the
> draft when you talk about length-1 passwords.) So I think
> allowing zero length passwords is better overall, and more
> consistent with implementations.
The main reason for disallowing it was because with SASLPrep (or 
Precis), a non empty sequence of characters can result in empty password 
after canonicalization, which seems misleading/dangerous if allowed.
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
>
> - Unsurprisingly, the diff between this and RFC4013 isn't
> useful, so I read from scratch. If I'm commenting on
> something that was already true of 4013, just tell me and
> that'll be fine.
>
> - intro: given the unsolved i18n issues and the fact that
> passwords are crap (security wise) would it be fair to ask
> that you add a sentence here to encourage folks to not use
> passwords at all but some better form of authentication,
> when that's possible? (Which is sadly not nearly common
> enough for user authentication.)
Can you suggest specific text? It is a bit hard to agree/disagree in 
abstract.

v2.23.0 | Report a Bug | By Email