Re: [regext] Benjamin Kaduk's Discuss on draft-ietf-regext-login-security-07: (with DISCUSS and COMMENT)

Barry Leiba <> Sat, 15 February 2020 05:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 058191200CC; Fri, 14 Feb 2020 21:12:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EboLk5jdwQce; Fri, 14 Feb 2020 21:12:48 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3D6931201CE; Fri, 14 Feb 2020 21:12:41 -0800 (PST)
Received: by with SMTP id d15so12916647iog.3; Fri, 14 Feb 2020 21:12:41 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Fwf55SqiYd59Xc5oFGwzhTMhFNOpAOUlcCrkCetk000=; b=n+4Wbvi4HxMRlU2XAhkGPswNP0BD4/av/AjRgWyCn3PoZCYN1FM0IjwyPrSXNaz7gh BMWx2b+ZDKWGcZ4stnSacT9j8JM75KrMAczk1K6caV+S6s2El0WiRKpQXHsbFA9Hs1PV bIFA4maIDxSg7zToN64zLMRO8zxjU8LDQZqBx20yDndhOPvzjLHaN9eImuMGax3BeDbe uS5FGNFGbfBUB8FF5cgi8xV9iKyBvUhO3ulJSzVDooLHRNVyPcOmTtmKXGTQ2U6xWJgS faYfIVRsHP0109jMKGYVPxyUQ4MZqy3PCsEpJv+PvXvl3is/DMpNCpN/ZvY1UzLhYe4E N/Vw==
X-Gm-Message-State: APjAAAWAzdsICcXawgRFKAgl14wXRHt/NjoAs4qLDI3K1laGf+GgJnTu 7qN8dGR+VOfdn+s/U1wOyullU4WRipYj4b0hypVhsxWa
X-Google-Smtp-Source: APXvYqx5MQF1UIrEisYfSCqXGB+McO7Af7jFlaDXRLOtv43cReY7VRV5+JiBb/fgFfD5eFp8wWSfsCAxzHlnjPIXdLk=
X-Received: by 2002:a5d:9b94:: with SMTP id r20mr4946448iom.140.1581743559969; Fri, 14 Feb 2020 21:12:39 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: Barry Leiba <>
Date: Sat, 15 Feb 2020 00:12:29 -0500
Message-ID: <>
To: Benjamin Kaduk <>, "Gould, James" <>
Cc: "" <>, The IESG <>, "" <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [regext] Benjamin Kaduk's Discuss on draft-ietf-regext-login-security-07: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 15 Feb 2020 05:12:50 -0000

Hi, all...

I'm sorry if I'm not completely clear about where the discussion is,
but what Jim's mail system does to the quoting is horrendous (as is
the case with most HTML-based mail systems), and I can't easily follow
the thread.

So I'm just picking up this recent bit from Ben:

> I think it would probably be helpful for the responsible AD to chime in; my
> understanding is still that the PRECIS profiles are to be used as part of a
> protocol as opposed to part of a deployment, and that allowing for
> different rules to be used in different sites is risky.  I understand that
> there's the extra context here of the potential for preexisting deployments
> that started using non-ASCII passwords in the absence of any guidance from
> the IETF on how to do so, and we have to consider whether what we do will
> break them, and so hearing from someone versed in the matter who has
> thought about this particular case would help assuage my concerns.  One
> possible route (given that, as I understand it, a lot of EPP deployments
> involve exchange of configuration and deployment information between peers
> out of band) would be to say that the PRECIS profile is used as a default
> in the absence of other configuration knowledge for a given deployment,
> though I acknowledge that this is not without flaws.

I had discussed the PRECIS issue with Jim, which is what resulted in this text:

   It is recommended that the plain text password in the <loginSec:pw>
   and <loginSec:newPw> elements use printable ASCII characters #x20
   (space) - #x7E (~), with high entropy, such as 128 bits.  If non-
   ASCII characters are supported with the plain text password, then use
   a standard for passwords with international characters, such as the
   OpaqueString PRECIS profile in [RFC8265].

I think that's adequate, given that (1) we really are expecting that
almost all passwords out there are ASCII, and we're recommending
keeping it that way, (2) we need to allow, but discourage, non-ASCII
UTF-8 passwords for the (expectedly rare) cases where they might be
used, and (3) these are stored passwords that are passed around,
rather than passwords entered by users and subject to issues created
by different input mechanisms and effects on eyeballs.

I can see that we might want to change "recommended" to "RECOMMENDED",
and I don't object to that (Jim?).  Beyond that, I'm not sure where
you're going with "PRECIS profiles are to be used as part of a
protocol as opposed to part of a deployment."  It's really both,
depending upon the situation.  In this case, it's saying that if your
server supports non-ASCII passwords, you'd better use the OpaqueString
profile to handle them.  If your server doesn't (it supports only
ASCII passwords), we're good.  From a PRECIS point of view, I don't
see more that needs to be done with this.

I think a large part of the point of the text that Jim added is an
acknowledgement that in the common case of ASCII-only passwords, we
don't have to worry about normalization/canonicalization of password
strings at all, and just doing straight byte-string comparisons works.
And the OpaqueString profile is there for cases where it's needed.

Now, it's certainly true that if a server *supports* non-ASCII
passwords, then *all* password processing on that server has to use
the OpaqueString profile, even if there are not any actual non-ASCII
passwords present... just in case one might show up.  And I think the
text does say that.

Is there something in this discussion that I'm missing that I need to
address?  Is there specific text you might suggest?  Are there other
issues beyond this one that are still open?  How close are we to
resolving this?