IETF Logo Mail Archive

Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt

Patrick Mevzek <pm@dotandco.com> Tue, 05 June 2018 05:32 UTC

Return-Path: <pm@dotandco.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 415D9130ED6 for <regext@ietfa.amsl.com>; Mon, 4 Jun 2018 22:32:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dotandco.com header.b=fMVkbVJN; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=fc6qfSPP
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nYDrATs5u-7I for <regext@ietfa.amsl.com>; Mon, 4 Jun 2018 22:32:34 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 012CE130ED1 for <regext@ietf.org>; Mon, 4 Jun 2018 22:32:33 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 58AA821C23 for <regext@ietf.org>; Tue, 5 Jun 2018 01:32:33 -0400 (EDT)
Received: from web3 ([10.202.2.213]) by compute3.internal (MEProxy); Tue, 05 Jun 2018 01:32:33 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dotandco.com; h= content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; bh=GAWF1vaziWtMyTA2qD7M4RuP/zWJA XSTzsXYEcti9wI=; b=fMVkbVJNirSULyel9rYvnl77fbQtvVUUvGsiUEsrAd9Fv xRJU9yxYWRIruTpfAM8SPJwgGS9ZF083WujTMDnZAk9qWxKTS3ac5/3D8AMzURFJ Ey65eLveinWLAYzeRaaTnjSOpXT5SBXi40pJ+2pe+jkVsVr+xWntK1kAHLaQFWzN OFWFrgJNFxuxOkSuB0rsAote+BUt9W53OxQCEYu3HZ/ND5llbhY1Esa83DpCmzaJ z9Vo5soDMAm4/Pj8eWnVyhrewjbUDbUsTgejWvNFCPWMWFa5aFOUwqDQ7GxUAQRt nggps6Wr2llk/mfCqRZV/1GGDTTl6tAf0NlSSZH7A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=GAWF1v aziWtMyTA2qD7M4RuP/zWJAXSTzsXYEcti9wI=; b=fc6qfSPPYH0TDX9Cfa7Mqn LZgWyI8x1wGKm9TRFbAxqc2UkSpAst0MfZB4PfyxePnTn/UG2x35eNBoYuY6nwsl O0Uk7niTOesfFsgM/0dZAgmGT9MY3oMCE44vudvx50ljuUufkiXD/wRTFOV5ecbJ D6n6SUNmIlKfS2c9HJh0G984zExxZ1KWTH1n5VM0V5YWwyaumhYhYa2KLqPay6tL Xcv+KqyyO0/iJq+LS65G7aLUTday1lLhDo03E56nuT5YML4PCju7q9+wS4WcDQ2U RIlhIuNuN2V2Fb2pFER5e/N38vMqBDzdsGola6ndoyLP1I393lA0tKNvJBFspkzA ==
X-ME-Proxy: <xmx:cSAWW8VMHQqIFOq_KKA2BQtu6xaoClVOw5VJ6GlNVzjr3bakOKydng>
X-ME-Proxy: <xmx:cSAWW_iyOdHvnQWo6rp1-wYYMeF2LhwFpHvoXCcRZ_ymimB_1lGWMg>
X-ME-Proxy: <xmx:cSAWW8d2pixba0aZyz2wyFU26SMkxnxmB7k-g7oHbIyFGXVWUJ68Sg>
X-ME-Proxy: <xmx:cSAWW-3M7gMg153Aa-0R3Ur9ftOnI2c2auYvaD1LreuK7ZmL6fK4hg>
X-ME-Proxy: <xmx:cSAWW4r-1_8w3i0GQ7e5l0MhBwpgRtl1YBzkP7_A9FKScsY4AjITEA>
X-ME-Proxy: <xmx:cSAWW3qRORPtk-WfDEnGsn38yrjrbOuucUmtN9YgBASgsyg0-PG27w>
X-ME-Sender: <xms:cSAWW6WhotmCEbb78giX7CvQQPIKUqB15qylTQreDFR5AcZgq1CPKBK3jH8>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id DE0069E36D; Tue, 5 Jun 2018 01:32:32 -0400 (EDT)
Message-Id: <1528176752.2069319.1396420528.6ABF4D3A@webmail.messagingengine.com>
From: Patrick Mevzek <pm@dotandco.com>
To: regext@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-fb4a77ea
In-Reply-To: <61D9AB58-FF73-4642-9F01-01E1808E08BC@verisign.com>
References: <61D9AB58-FF73-4642-9F01-01E1808E08BC@verisign.com>
Date: Tue, 05 Jun 2018 07:32:32 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/YBUoZ2rqSujfGiq4mXfgwgA0nJ4>
Subject: Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jun 2018 05:32:36 -0000

On Mon, Jun 4, 2018, at 22:30, Gould, James wrote:
> The Login Security Extension (draft-gould-regext-login-security) was 
> posted 
> (https://datatracker.ietf.org/doc/draft-gould-regext-login-security/) 

Thanks James, this is nice.

Some comments before really trying to implement it:

- I am not a huge fan of the [LOGIN-SECURITY] token, but I see no good alternatives. Specifically, this variant forbids any later revision of the specification. So I would either argue for the shortname, loginSec-1.0, so that at least it will be backwards compatible or, to be bolder, use RFCXXXX when XXXX will be known...
Or to want to avoid collisions at all cost, I would either go towards something like U+001A (SUBSTITUTE) or U+001B (ESCAPE) repeated 16 times.

Or a completely different route would be to use the XML ID/IDREF mechanism.
I am not 100% sure but maybe the current <pw> could have an xml:IDREF attribute with a path pointing to the new loginSec:pw node which would have the corresponding xml:ID attribute?

- for loginSec:pw/loginSec:newPw I am not a fan of specifying minimum length, because if you remove all maximum length constraint in the schema for the maximum, by symmetry I would do the same for the minimum, leaving both to pure policy choices by the server (the "sensible"  minimum depends of course on the number of different characters allowed, it would not be the same value when accepting only ASCII or when accepting "any" Unicode characters

- I would also not put anything here related to what characters are allowed or not. I would instead defer to the PRECIS framework (RFC7564) and more specifically section 4 of RFC8265. At least as a base, using OpaqueString and then building one more constrained on top of it if it is really deemed important
(passwords here are typically not seen nor managed by humans, so I think they need less strict rules than when handled by humans, and I see no problems per se with spaces... I have seen far more trouble when people try to use < or & in a password and forgetting to encode it as those are specific characters in an XML streams).

I know that RFC5730 does the same thing, but it was written before PRECIS.
So now I think we should instead build on it.

-- 
  Patrick Mevzek

v2.23.0 | Report a Bug | By Email