IETF Logo Mail Archive

Re: [regext] draft-ietf-regexy-login-security

"Hollenbeck, Scott" <shollenbeck@verisign.com> Wed, 13 November 2019 13:37 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DECC2120114 for <regext@ietfa.amsl.com>; Wed, 13 Nov 2019 05:37:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Y7rKoDTvyMv for <regext@ietfa.amsl.com>; Wed, 13 Nov 2019 05:37:03 -0800 (PST)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B19612003E for <regext@ietf.org>; Wed, 13 Nov 2019 05:37:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=1740; q=dns/txt; s=VRSN; t=1573652223; h=from:to:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=axO3E28k2+ONFfDO6auLaVCBfINU3c3QOEYcurU4+jc=; b=p+I7te/RejZA6IYsSUQSw3a1rqRkk9JXKnAZNnsBZTgstv6y9FNok1/V 3w7cPuJ6+l9SnqdPN3rrRoA6TNuFrEcLxuk58Xx38X/KNqEUA92DAhK4F IrFsqHxENpTG/ljexXJfN/jqSyWmxi9xYU+WeMv3v8xjSSDWR8rMdnKgy vu9/XqK9zOwP8CmMId4mZgYJvzmKUtMpSWoIHbvD4NZtdj7iAWuKRc6Nt VSuhgGFJ+Sfs8pKGlh67OXk9yRh3QvsnGUgwrfGg4Ct9ZMWIILLNLmGxI N7e5YpWBHFxTDV0PnV6vpdY7k3fWGEucdGCQAVtOCEr+Gyr0yKZDQfo/X Q==;
IronPort-SDR: TLGIbHL2Goish3zaXpPwwrI5tDl1P1E+KiNzIb6Yo87Z/I99RltMqbyeWMfJ8mJh/9Hbe3F0eb HiwUvnVsHNlmAIMxV41tiFVt3WqjkFQ2MyYBM1qEQi1YBS2pbZ29JQ5iMcwTLOr9E2nRxWt7Wt 2sxxd1bRqaozVF7tyXsZTBywEOeaYVhwGUkz+U7CwMqvX3iwwu7gjN2atloGxC0NrhjNifGRXx tZe2IeQnYu0nOQaw5H9m17nUhlJmthI2BUaQ/fYGrfmWBbWFA22pGaMGGCtx6e0nnRoBcyEyg3 GoY=
X-IronPort-AV: E=Sophos;i="5.68,300,1569283200"; d="scan'208";a="51219"
IronPort-PHdr: 9a23:ty6k8hY0XUWO8yCLGFyO+TX/LSx+4OfEezUN459isYplN5qZrsmzbnLW6fgltlLVR4KTs6sC17ON9fm7ACddvd6oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCybL9vIhi6txjdu8cLjYdtKqs8xQbCr2dVdehR2W5mP0+YkQzm5se38p5j8iBQtOwk+sVdT6j0fLk2QKJBAjg+PG87+MPktR/YTQuS/XQcSXkZkgBJAwfe8h73WIr6vzbguep83CmaOtD2TawxVD+/4apnVAPkhSEaPDM/7WrZiNF/jLhDrRyhuRJx3pLUbo+WOvpwfKzdfM8VS2VOUctKSyxBG4G8Y5cTA+YdI+pVqZT2qVsUrRu5AAmhHO3jxD1Phn/y2a01zeIhHhrY0wM8HNICqGnfosjpO6cVTeC10KfExijEYvNN2Tf974zIchQ/rvGKRr1/b9beyUo0GgPbkFqQs43lPyiU1uQCtWiX9fZvVeWqi2M+rQx6vzuhxt80h4XUmo4Z0E3I+Cd3zYovONG1SEB2bcSrHZZTry2WKpd6Ttk/T2xqpCo20KAKtJG4cSQQ1ZgqxAbTa/KZfIWL/h7uUeOcLDVki355Yr2yggu+/lS8xeD5VsS7zUhFriRAn9TIq38CygLc586aQfVn5EihwyyA1wXL5+FBJkA7iLTUJoY6wr41ipoTqUPDHjLqmEnujK+ZaEEk+u+w5un6frvovoKQOI9shA/xM6sihtGzDf4mMgcSWGib4/y82Kf58kLkWrlKkOc2krLfsJzAOcsboau5DxdU0oYl9Rm/Ey+r3MkEkXUdMV5IehyKg5L0N1zOLv30F/iyjle0nDdu3f/GP7nhApvXLnjElbfsZa19605byAo3ydBQ+ZRUBaofL/3vWU/8r8LYAQEjMwy12ObnCdp91oUEVW2TBa+ZNbvesUWU6eI3P+mMeIgVtS74K/g5/PPuiXg5mFEDcqmvwZsXcne4HuxmIkmDZ3rjnMsBG38QvgUiVOzqlEGCUTlLanaoQa086S80CY26DYrYR4CinqCB3CmhEp1RfGBGBQPELXC9PYCYc/MLdy+UPtVmii1CU7W9Acd10A2GsAjlxrx7NO3M62seuI61kJA//eDcmAEu3T15E8rb1HuCBSkghG4HSi8q9KFyvUI7zU2Mh/tWmftdQJZz4PdNXwEwOJXfi6RBANfuRkiJKsyJT1KiT9OsDDoyZsw82d4VYkl7Xd6li0aQjGKRH7YJmunTV9QP+aXG0i2pKg==
X-IPAS-Result: A2E3AAC7Bcxd/zCZrQplGwEBAQEBAQEFAQEBEQEBAwMBAQGBbQMBAQELAYQ8CpU6mykJAQEBAQEBAQEBBwEvAQGEQAKCRTcGDgIDCwEBAQQBAQEBAQUDAQEBAoYsgjsig0kBAQEBAzpLBAIBCBEEAQEXAQEGEDIdCAIEARIItSeCJ4VOhQSBNgGMK4FBPoERgxI+hQ0CBYUfBIx+oRcDB4IokEaEeSOZfo5HmXwCBAIEBQIVgWiBfHCDPFARFJ9gdI8lDRWBDYEPAQE
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Wed, 13 Nov 2019 08:37:01 -0500
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde]) by BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.1779.002; Wed, 13 Nov 2019 08:37:01 -0500
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "mt@lowentropy.net" <mt@lowentropy.net>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] [regext] draft-ietf-regexy-login-security
Thread-Index: AQHVmb1gil+5lkrnR0er5pdiaCu0qKeJGmdQ
Date: Wed, 13 Nov 2019 13:37:01 +0000
Message-ID: <78c95628e8f84901b7230f6674ee3120@verisign.com>
References: <406eac6f-f908-4944-8f43-16df858b182f@www.fastmail.com>
In-Reply-To: <406eac6f-f908-4944-8f43-16df858b182f@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/b9gSqbAMlWEFWFG_WhbWi_X8IM8>
Subject: Re: [regext] draft-ietf-regexy-login-security
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 13:37:05 -0000

> -----Original Message-----
> From: regext <regext-bounces@ietf.org> On Behalf Of Martin Thomson
> Sent: Tuesday, November 12, 2019 7:57 PM
> To: regext@ietf.org
> Subject: [EXTERNAL] [regext] draft-ietf-regexy-login-security
>
> In reviewing the IANA registrations for this draft, I noticed a design issue that
> I think the working group needs to discuss more.
>
> >From a strictly schema perspective, the whitespace normalization
> requirements for token will likely have implications for usability of passwords
> that include spaces on the <pw> and <newPW> elements.  That's a problem
> for manually constructed messages, so it would be a minor comment.
>
> However, that would ignore the fact that use of plaintext passwords is not a
> good practice.  Even if this is merely revising something from RFC 5730 to
> extend their length (which is fine in isolation), I think that the working group
> needs to more fully consider.  Though it remains common, relying on
> password-based authentication is generally regarded as a failing; though it
> might be unavoidable, most authentication systems try to avoid it, or only
> use passwords as a way to step up to something stronger.  Sending
> passwords in cleartext in protocols is regarded as a serious exposure in most
> systems.  Even passing hashed and salted passwords has risks that mean that
> is generally avoided where possible.

TLS protection is specified to avoid sending passwords in plaintext form.

I agree that we should consider login security improvements over time as new options are available to us. It's always best to start a conversation by throwing a proposal out there for people to consider.

Scott

v2.23.0 | Report a Bug | By Email