Re: [regext] AD review for draft-ietf-regext-login-security-04
"Patrick Mevzek" <pm@dotandco.com> Tue, 05 November 2019 21:48 UTC
Return-Path: <pm@dotandco.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 313C0120B7E for <regext@ietfa.amsl.com>; Tue, 5 Nov 2019 13:48:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dotandco.com header.b=nKRfVca5; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=a2Kb+Q58
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r58RSwMR-0G4 for <regext@ietfa.amsl.com>; Tue, 5 Nov 2019 13:48:47 -0800 (PST)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1942120BFF for <regext@ietf.org>; Tue, 5 Nov 2019 13:48:45 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 0A0A54FC; Tue, 5 Nov 2019 16:48:44 -0500 (EST)
Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Tue, 05 Nov 2019 16:48:45 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dotandco.com; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm1; bh=3AWfQ xiZFEZNnUjqlyvcfDIOtXImO+ap+3utNaC74wc=; b=nKRfVca5l4IFMiC8YeMQo bw55EVXZtNj6Qfvb3Jl5hqUnurG1t1J/ZoMGM/YrP5hX+FYr3lxHRkB9wXNPc51W hu58xFSKDARufBJfLe/ffjHv7MUkFzoYjo4CXYJoiUDqM0doDoGX5GBNotTnhFIR F9CvRaCT9i1awJKkcgcePLov7oU4oxlCXpDvEC6ENv/nu2fpiqfyBBbPxCAh+86Q VijfcUsIejyS8xe28Ak9j+WSCph4/dxXo65qOycwfp/wsreGPOFMUUiIdFp/camG nMGUo3yeAGrJ3+1JH26dj/qLhcWOiqjgwspVTuL7boMlI5R6Ur9EFV/ER++oXiYH g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=3AWfQxiZFEZNnUjqlyvcfDIOtXImO+ap+3utNaC74 wc=; b=a2Kb+Q58vWttNubnw8S8Dr6iI0xW+Bc5Fd8oYM56ckJX2HzBD15TjHLb1 BuRfYFQK4gz1YaLTLRH/7p3uH47yL5DX8XvlHbpfiuKPVYjn+txW+A2G23xJSbkw VQlrZ7wp79C1KjJkYb5ht27qaxXQzdw/W6Tm3ULBIgq+pSuyyFWW3zBLnJgeHXLt hB2HF1e+gNLnmxhmJx+vgxmAj/2PqjMm1tu/vEfxYn87F3mJCDK1Zy+3Xm93ZB+X 1JWuBupESTGm+wZlGnoDqDXtqIES+J06931TL/rDsXIPZ9J4hGDuvytlYRy80lS2 a7WShd7yFD8kA+8uvtk8RakVkn9hw==
X-ME-Sender: <xms:PO7BXTXF-uX4rCfnZA9f_dw2OsLE9lq9f4PLGAYxWGBkdk-Jng36vxWjxHg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudduhedgudehgecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdfr rghtrhhitghkucfovghviigvkhdfuceophhmseguohhtrghnuggtohdrtghomheqnecurf grrhgrmhepmhgrihhlfhhrohhmpehpmhesughothgrnhgutghordgtohhmnecuvehluhhs thgvrhfuihiivgeptd
X-ME-Proxy: <xmx:PO7BXdf9vV6iHk-rbiu3fbD5cIocPxBsZKSHHKxFxiy67mfQi3L4ww> <xmx:PO7BXUB76IeofD8gmlBDJSj1_XYqfXeN44IPloFRpm837ysU_5B3qg> <xmx:PO7BXc1CIW9x7XZAQmADNaEfKZdT_3APjZzXkbONjxsE6UrrbpMT4Q> <xmx:PO7BXe0osO2fRlRorS5ml2-wKzIr0Q-sXoAgwd_oPh2cH2EOzijgzQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id CFC42C200A4; Tue, 5 Nov 2019 16:48:43 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-509-ge3ec61c-fmstable-20191030v1
Mime-Version: 1.0
Message-Id: <72f6eb64-3945-435c-b385-44b2e828f57c@www.fastmail.com>
In-Reply-To: <91FC7392-CF86-45E8-9E52-00089ABBEA28@verisign.com>
References: <DAB825B6-F9BA-4B39-9273-1FA4DCE53882@verisign.com> <CALaySJJx4u1271WdEaD=BA1adRkHe1URWaqXBb7YKoPBo9rG9Q@mail.gmail.com> <c8913828-7705-4227-a938-253ad2c0a63c@www.fastmail.com> <91FC7392-CF86-45E8-9E52-00089ABBEA28@verisign.com>
Date: Tue, 05 Nov 2019 16:48:23 -0500
From: Patrick Mevzek <pm@dotandco.com>
To: James Gould <jgould@verisign.com>, "regext@ietf.org" <regext@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/9pIgxiNMdj9X8IYN7sMfY7JiXGw>
Subject: Re: [regext] AD review for draft-ietf-regext-login-security-04
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 21:48:49 -0000
On Tue, Nov 5, 2019, at 16:37, Gould, James wrote: > The trimming and collapsing of whitespace in > draft-ietf-regext-login-security is a feature of the XML schema “token” > type that exists today based on what’s defined in RFC 5730. I know. I was just going into Barry's way, as it makes no sense to me as well to not allow two multiple U+0020 spaces, but we allow U+00A0 U+0020, which is a variation of the same thing. We are "mostly" safe because all of those are typically not user handled passwords, as they are used for machine to machine connections, so "mostly" safe from display and human handling issue. But just "mostly", not completely. > There is > no issue with complying with the NIST recommendation, where the use of > the trimming and collapsing of the XML schema "token" type is needed to > address XML formatting issues (e.g., XML pretty printing). I did not say that there is an issue there, nor that following this recommendation is good or bad. Note however it remains vague as saying "*THE* space character" (emphasis mine) and "UNICODE characters should be accepted as well" and these 2 sentences do not mix well as Unicode defines more than one "space" character... > I don't see the applicability of PRECIS for > draft-ietf-regext-login-security. I am sorry if I failed to show its applicability, but for me it is absolutely applicable to it. It gives both a framework and examples. The framework allows each application (that is each protocol) to properly define "classes" of strings, such as the one for usernames or the one for passwords, and to define the rules in it. This is completely orthogonal to the final schema used to encode the stuff in some framing protocol, such as XML here. But we had this debate before as I brought the issue, you already said it is not relevant in your opinion, and the draft is now near standardization, so too late and useless to discuss it again I think. I didn't want to bring the issue again, I was just leaning towards Barry's opinion that the constraints are "strange" (yes they come from the XML schema datatypes, but that does not define the semantic of the field, which is not just an XML token, but really a password, which is all the discussion of PRECIS in fact). -- Patrick Mevzek pm@dotandco.com
- [regext] Publication has been requested for draft… James Galvin via Datatracker
- [regext] AD review for draft-ietf-regext-login-se… Barry Leiba
- Re: [regext] AD review for draft-ietf-regext-logi… Gould, James
- Re: [regext] AD review for draft-ietf-regext-logi… Barry Leiba
- Re: [regext] AD review for draft-ietf-regext-logi… Patrick Mevzek
- Re: [regext] AD review for draft-ietf-regext-logi… Gould, James
- Re: [regext] AD review for draft-ietf-regext-logi… Patrick Mevzek