Re: [precis] Stephen Farrell's No Objection on draft-ietf-precis-saslprepbis-17: (with COMMENT)
Alexey Melnikov <alexey.melnikov@isode.com> Wed, 27 May 2015 15:47 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: precis@ietfa.amsl.com
Delivered-To: precis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B36F1B2CD5; Wed, 27 May 2015 08:47:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d3umGlxTrJaM; Wed, 27 May 2015 08:47:11 -0700 (PDT)
Received: from waldorf.isode.com (waldorf.isode.com [217.34.220.150]) by ietfa.amsl.com (Postfix) with ESMTP id 954791B2D72; Wed, 27 May 2015 08:47:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1432741629; d=isode.com; s=selector; i=@isode.com; bh=Da6tJB8zeMF/IA+Uy9f9u4wLjQB0k6Io/Wl5DD/TiyQ=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=Sie9wFJ7nwdDp7z5GOfcDnv20oKqNXpj5u/MOLN7amGe7ThROjO1TR6qKGA1N7OFx3J2rB FaAgqpyUpEgCLv75zZqalyo+eb4JS9p3rnqllg2dEGyJ2iItyGsnd8RfsAlLcSpK9QH72b Vi2IdEQ9LY3Ko1bv/MgKgMyL03kuvTM=;
Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <VWXm=AAZW2LB@waldorf.isode.com>; Wed, 27 May 2015 16:47:09 +0100
Message-ID: <5565E6EB.7010505@isode.com>
Date: Wed, 27 May 2015 16:46:51 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
To: Peter Saint-Andre - &yet <peter@andyet.net>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
References: <20150527132109.25645.76593.idtracker@ietfa.amsl.com> <5565DB7E.6080508@andyet.net> <5565DEF5.6090405@cs.tcd.ie> <5565E295.1010505@andyet.net> <5565E65D.9030605@andyet.net>
In-Reply-To: <5565E65D.9030605@andyet.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/precis/fXVF9XhiPwTc9J-CdEdMzBrteqU>
Cc: draft-ietf-precis-saslprepbis.ad@ietf.org, precis-chairs@ietf.org, precis@ietf.org, draft-ietf-precis-saslprepbis@ietf.org, draft-ietf-precis-saslprepbis.shepherd@ietf.org
Subject: Re: [precis] Stephen Farrell's No Objection on draft-ietf-precis-saslprepbis-17: (with COMMENT)
X-BeenThere: precis@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Preparation and Comparison of Internationalized Strings <precis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/precis>, <mailto:precis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/precis/>
List-Post: <mailto:precis@ietf.org>
List-Help: <mailto:precis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/precis>, <mailto:precis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2015 15:47:13 -0000
On 27/05/2015 16:44, Peter Saint-Andre - &yet wrote: > On 5/27/15 9:28 AM, Peter Saint-Andre - &yet wrote: >> On 5/27/15 9:12 AM, Stephen Farrell wrote: >>> >>> On 27/05/15 15:58, Peter Saint-Andre - &yet wrote: >>>> On 5/27/15 7:21 AM, Stephen Farrell wrote: >>>>> Stephen Farrell has entered the following ballot position for >>>>> draft-ietf-precis-saslprepbis-17: No Objection > > <snip/> > >>>>> 4.1: zero length password - I think you're wrong on that >>>>> one but it is arguable. This was a discuss until you told >>>>> me that 4013 prohibited 'em too so probably no point >>>>> in changing now if it's just my opinion. >>>>> >>>>> There are situations where an empty password is ok (say >>>>> when I'm not "protecting" something but just want to know >>>>> what user's profile to use, e.g. for weather) and that is >>>>> supported in many systems (that hence won't be able to >>>>> exactly adopt this) and insisting on a non-empty password >>>>> could be more damaging than allowing a zero-length >>>>> password, whenever a user re-uses a password for something >>>>> for which no password is really needed (and which hence is >>>>> less likely to be well protected) and where that password >>>>> is also used to protect something of significantly higher >>>>> value. The zero-length password is also not an interesting >>>>> subset of the set of stupid passwords really so doesn't >>>>> deserve to be called out as such (and you say that in the >>>>> draft when you talk about length-1 passwords.) So I think >>>>> allowing zero length passwords is better overall, and more >>>>> consistent with implementations. >>>> >>>> I see your point. Do you have a sense of what kind of systems today >>>> allow zero-length passwords? Given that RFC 4013 prohibited >>>> zero-length >>>> passwords and that they provide no security whatsoever, I don't see a >>>> compelling reason to modify the recommendation. However, as you say >>>> this >>>> document doesn't provide general guidance on password strengthy >>>> anyway, >>>> so I suppose I'd be fine with changing it to SHOULD NOT as long as we >>>> provide some text about why zero-length passwords are acceptable in >>>> some >>>> existing systems. >>> >>> I think most operating systems either allow empty passwords >>> or else try insist on what they think is "strong" or else >>> give some strength feedback to the user. Many CLI tools allow >>> for empty passwords in case they're used in a script and >>> the same goes for passwords needed by servers that might >>> ever need to restart without a human. (And yes in most cases >>> such tools provide a way to input a password from e.g. a >>> file, but that's often no more secure than no password >>> given how filesystem access control works.) >>> >>> I'll leave it to you folks to decide if you think a SHOULD >>> NOT is ok or not, but I suspect you might want to check that >>> the WG are ok with that change from 4013. >> >> Most definitely. >> >>> I suppose an alternative might be to just note some of >>> the issues above and say that in a bunch of cases an >>> application will have to accept as input either <empty-string> >>> or <password>. I guess that's what's done now in any case >>> and I'd be fine with handling it that way too if you prefer. >> >> Ah, true. That seems preferable to me. Agreed. >> Let's see if Alexey and I can formulate some text... > > How's this? (I haven't checked it with Alexey yet but he can reply here.) > > OLD > Note: The prohibition on zero-length passwords is not a > recommendation regarding password strength (since a password of > only one byte is highly insecure), but is meant to prevent > applications from omitting a password entirely. > > NEW > Note: Some existing systems allow an empty string in places where > a password would be expected (e.g., command-line tools that might > be called from an automated script, or servers that might need to > be restarted without human intervention). From the perspective of > this document (and RFC 4013 before it), these empty strings are > not passwords but are workarounds for the practical difficulty of > using passwords in certain scenarios. The prohibition on zero- > length passwords is not a recommendation regarding password > strength (since a password of only one byte is highly insecure), > but is meant to prevent applications from mistakenly omitting a > password entirely, since when internationalized characters are > accepted a non-empty sequence of characters can result in a zero- > length password after canonicalization. Yes, this looks great. Thank you!
- [precis] Stephen Farrell's No Objection on draft-… Stephen Farrell
- Re: [precis] Stephen Farrell's No Objection on dr… Peter Saint-Andre - &yet
- Re: [precis] Stephen Farrell's No Objection on dr… Stephen Farrell
- Re: [precis] Stephen Farrell's No Objection on dr… Peter Saint-Andre - &yet
- Re: [precis] Stephen Farrell's No Objection on dr… Peter Saint-Andre - &yet
- Re: [precis] Stephen Farrell's No Objection on dr… Alexey Melnikov
- Re: [precis] Stephen Farrell's No Objection on dr… Stephen Farrell
- Re: [precis] Stephen Farrell's No Objection on dr… Peter Saint-Andre - &yet