IETF Logo Mail Archive

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

"Gould, James" <jgould@verisign.com> Tue, 05 June 2018 15:11 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EBE41310DA for <regext@ietfa.amsl.com>; Tue, 5 Jun 2018 08:11:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qZWUfED2hCtR for <regext@ietfa.amsl.com>; Tue, 5 Jun 2018 08:11:22 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE8F41310D7 for <regext@ietf.org>; Tue, 5 Jun 2018 08:11:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=6870; q=dns/txt; s=VRSN; t=1528211482; h=from:to:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=UzrP8vhUnOY1s8eLPwi0gaRJkbf0zVawdSvYOD81Pyc=; b=RsofFioECscg/phsmU1dD0GHk2u+RrAFGX1UrZ0K3jIZJBOKjm3JAx6r +YVSslotQUsaVO5HGKejvo+KzhWj+hhyRaDitDrOcil31OaOW88Cwd6gT JFqs8T/xHNp2P9XkdVMHmh/YQBDLL7zQrQ+QHJDcyoy2oBx/Mx3/doJrz fqYww19k2aBe7/ujT/Ib3Wvf4d7NzPCCb+CCav2bOjTjaP9xay8DvcPHC GFURJHjWs637oqEUAAoCA+N9mECoFuQqjGosrowHrCmErD75fDSk/bz7U G2T70wFRos07JBH5uA4UtwQT3HTrKEPrQq3f4JtIrbSSKY6hSfBZIMHdo Q==;
X-IronPort-AV: E=Sophos;i="5.49,479,1520899200"; d="scan'208";a="4876539"
IronPort-PHdr: 9a23:jSmKMh3VGVjr5IxlsmDT+DRfVm0co7zxezQtwd8ZseMTL/ad9pjvdHbS+e9qxAeQG9mDtrQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPYwhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7Vq4/Vyi84Kh3SR/okCYHOCA/8GHLkcx7kaZXrAu8qxBj34LYZYeYP+d8cKzAZ9MXXWpPUNhMWSxdDI2ybIUPAOgPMuZZs4bzqFQBoACiBQa3AePj1iNEi2X00KA8zu8vERvG3AslH98WvnjardL1NLoWUe+o1KXD0DHNYOlT2Tjj84jEfA0qrPaOXbJ/dsrR1E0vGB7eg1WOt4PlJTKV1v8Ms2iU6epsT/6gi2kiqwxopDWk28kiio7Mho0Py1DE8z10wJgrKt2iSU57et+kEJRWtyGbMYt5XtkuTH1vuCY/0rEGuIC0fDQEyJg9wB7fcfOHfo6V6RzgTOacOSp0iG5/dL6ihRu//1KsxvD8W8S6ylpHoS5InsHRunwRzRDf98qKR/Vn8ku82TuC2Rrf5+5HLE0yiKHVMYQuwqQqmZoWqUnDGyj2l1jog6KObUUk//So6/zgYrX7up+QL490hR/6MqQpgsGyHPg2PBATU2eb4eqy27zs8VHnTLlQkP05jq7ZsIrCJcgBvKG2HhVZ0pg56xakCTeqysgXnX4CLF5deRKHiZbmO03WLfzlEfuzmUmgnTVlyvzcI7HsApvAImLMnbrlZbp97lRTyAs3zdBR/ZJUDbQBLerxWk/+s9zYExs5PBGvzub5Ftp9zIIeWXmOAq+WNqPeq0OH5uUqI+WUfo8apC79K+Q55/7plXI5gVodcLK00psQdHC3BPJmLFiFbnrrmNsODWAKvg8mRuzwlFKCSSJTZ2q1X68k/DE0Fo2mApnMR4Cxm7GB3Tm0HoFYZmxcDVCMC3joJM24XKI0YT6II8Ri2hkJS6qsSMd1zRSGuAjmwrxrJe2S8Sod49arnsJ46ODDiTkz+CB6ScOH3CvFG3t5kW4YWxc30bxx50tnxQHQ/7J/hqkSOttO4/8NGiUzMJPHhaQuCd/1RwbNVsmEUle9Q9qgRzo2S4RikJc1f09hFoD63Vj41C2wDupQzuTTCQ==
X-IPAS-Result: A2FVAADhpxZb/zGZrQpZAxoBAQEBAQIBAQEBCAEBAQGEJYEnCoNuiASORyGUS4E9Fx0HCxgLC4N4RgIXgis0GAECAQEBAQEBAgEBAoEEDII1JAEOLxwhCAEFAQEBAQEBJwEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQgCCAc1EgEBGQEBAQMBASEROgkSAgEIDgoCAhIBAQsHAgICJQsVEAIEARKDIgKCDqccghyIQYFoCQGBAYkMPoEPJAyCXIMRAQEDAYFGLQomAQEFgjIwgiQChyaRSAMGAoVqhTWFPoseiXYChwACAgICBAUCFIFBggtwFTsqAYIYCYI/gzSFFIU+bwkDASOMTQ0VgQqBGQEB
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Tue, 5 Jun 2018 11:11:16 -0400
Received: from BRN1WNEXCAS02.vcorp.ad.vrsn.com (10.173.152.206) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1466.3 via Frontend Transport; Tue, 5 Jun 2018 11:11:16 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0301.000; Tue, 5 Jun 2018 11:11:16 -0400
From: "Gould, James" <jgould@verisign.com>
To: Patrick Mevzek <pm@dotandco.com>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt
Thread-Index: AQHT/ELbV2b5ShbjYkSiGgp+hocUlKRRZ7wAgABeooA=
Date: Tue, 05 Jun 2018 15:11:15 +0000
Message-ID: <F51077D3-BBC9-4988-B2CD-7AE239623A2F@verisign.com>
References: <61D9AB58-FF73-4642-9F01-01E1808E08BC@verisign.com> <1528176752.2069319.1396420528.6ABF4D3A@webmail.messagingengine.com>
In-Reply-To: <1528176752.2069319.1396420528.6ABF4D3A@webmail.messagingengine.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.d.1.180523
x-originating-ip: [10.173.153.48]
Content-Type: text/plain; charset="utf-8"
Content-ID: <D767C9BD705A2842B6FD4086799DEC71@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/0DjvrxwE9Z0qLuNk3JM8aqLYor4>
Subject: Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jun 2018 15:11:25 -0000

Patrick, 

Thanks for your review of the extension and your feedback.  I include comments to the feedback below.
  
—
 
JG



James Gould
Distinguished Engineer
jgould@Verisign.com

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com <http://verisigninc.com/> 

On 6/5/18, 1:32 AM, "regext on behalf of Patrick Mevzek" <regext-bounces@ietf.org on behalf of pm@dotandco.com> wrote:

    On Mon, Jun 4, 2018, at 22:30, Gould, James wrote:
    > The Login Security Extension (draft-gould-regext-login-security) was 
    > posted 
    > (https://datatracker.ietf.org/doc/draft-gould-regext-login-security/) 
    
    Thanks James, this is nice.
    
    Some comments before really trying to implement it:
    
    - I am not a huge fan of the [LOGIN-SECURITY] token, but I see no good alternatives. Specifically, this variant forbids any later revision of the specification. So I would either argue for the shortname, loginSec-1.0, so that at least it will be backwards compatible or, to be bolder, use RFCXXXX when XXXX will be known...
    Or to want to avoid collisions at all cost, I would either go towards something like U+001A (SUBSTITUTE) or U+001B (ESCAPE) repeated 16 times.
    
    Or a completely different route would be to use the XML ID/IDREF mechanism.
    I am not 100% sure but maybe the current <pw> could have an xml:IDREF attribute with a path pointing to the new loginSec:pw node which would have the corresponding xml:ID attribute?
  
JG - The reason for a '[LOGIN-SECURITY]' constant value in RFC 5730 <pw> is because the <pw> element is required and must be between 6 and 16 characters, so it must be populated with something.  On the server-side, the <loginSec:pw> value is looked at only if the '[LOGIN-SECURITY]' constant value is specified in the <pw> element.  This means that the existing <pw> element is never ignored but simply used to explicitly refer to the <loginSec:pw> element with the use of a pre-defined constant value.  There may be a better constant value to use or another mechanism that is compliant with RFC 5730, while allowing for overriding the password value in the extension.  The same approach is used for the RFC 5730 <newPw> element, and the related <loginSec:newPw> element.  Use of the constant password value and the login security extension maintains backward compatibility, maintains compliance with RFC 5730, and enables an incremental switch to use longer passwords with the login security extension (e.g., short password with <pw> element and long new password via the <loginSec:newPw> element).  The server would need to disallow the password to be set to '[LOGIN-SECURITY]'  to avoid conflict; otherwise the client would need to use the '[LOGIN-SECURITY]' value with the RFC 5730 <pw> element and with the <loginSec:pw> element to authenticate.  

  
    - for loginSec:pw/loginSec:newPw I am not a fan of specifying minimum length, because if you remove all maximum length constraint in the schema for the maximum, by symmetry I would do the same for the minimum, leaving both to pure policy choices by the server (the "sensible"  minimum depends of course on the number of different characters allowed, it would not be the same value when accepting only ASCII or when accepting "any" Unicode characters
  
JG - I don't believe that the security would be enhanced by removing the minimum length.  RFC 5730 had a minimum of 6 characters and I bumped it up to a minimum of 8 characters to match current password security guidelines.  NIST defines the minimum length as 8 characters.     
  
    - I would also not put anything here related to what characters are allowed or not. I would instead defer to the PRECIS framework (RFC7564) and more specifically section 4 of RFC8265. At least as a base, using OpaqueString and then building one more constrained on top of it if it is really deemed important
    (passwords here are typically not seen nor managed by humans, so I think they need less strict rules than when handled by humans, and I see no problems per se with spaces... I have seen far more trouble when people try to use < or & in a password and forgetting to encode it as those are specific characters in an XML streams).
    
    I know that RFC5730 does the same thing, but it was written before PRECIS.
    So now I think we should instead build on it.

JG - The rules around the leading / trailing whitespace and the contiguous whitespace is based on the selection of the XML schema "token" type.  We could consider changing the type, but that is the type defined in RFC 5730.  The login security extension simply removes the maximum length constraint and increases the minimum length constraint from 6 characters to 8 characters to meet current security guidelines.     

    
    -- 
      Patrick Mevzek
    
    _______________________________________________
    regext mailing list
    regext@ietf.org
    https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email