Re: [regext] draft-ietf-regexy-login-security
"Patrick Mevzek" <pm@dotandco.com> Wed, 13 November 2019 20:33 UTC
Return-Path: <pm@dotandco.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FC9F12008C for <regext@ietfa.amsl.com>; Wed, 13 Nov 2019 12:33:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dotandco.com header.b=iv6kBmVg; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=NKPMCvNn
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tempYgChKdan for <regext@ietfa.amsl.com>; Wed, 13 Nov 2019 12:33:11 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE43F12003E for <regext@ietf.org>; Wed, 13 Nov 2019 12:33:10 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id BAF6321F82 for <regext@ietf.org>; Wed, 13 Nov 2019 15:33:07 -0500 (EST)
Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Wed, 13 Nov 2019 15:33:07 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dotandco.com; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=8xkuOHSlic1E/QXCKBXI7kHl/HRl6hX z1QUG5M3M6uc=; b=iv6kBmVg3T5mSWmYR2L8AqsDWSPsgX18jUVMRBWLnuxLuu5 xiYIQxmOq6Rz4KFOpIRZnlcHE3P/ZLyBfZ6H7xkZMHF1m9XyrzXTjimYTSusi268 zMU2vTlMCQUNnmiIRsw/PqQTTqKSpWS9e2qeH5VNs0EFEGnBernk03BtUK0Yn3Bw QfLljrVtR5D7Q9USq/5n7WJ/dKYl5hiiFYWEpvahzo7CiVbzkctqCmLiVZhRsqWX 0Jr7FllR42HV8cTrgX/ayhO2R0nLSvI7TvY1jWo320aZqjSo8M6nw8cxF6Yw5cwn 0ISbOllQV94eZmuuSZGUO5+MkeoQAWERJEKvYxA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=8xkuOH Slic1E/QXCKBXI7kHl/HRl6hXz1QUG5M3M6uc=; b=NKPMCvNnTP+VJTcTrcGequ go+uDJBoq6p9/nT7acuajG+4NAoQJuwr9nJbAQ35dXEKbDaWKv+laCEFPZoDUCed K2bjToHPCO2WUQaUBAmif18z/Ct+trNXEGZRKR3gGCEBM4fOC47oZFMi9fSUYN4a cPwnnQ1EFUap/pQqnsFQ/LbxcsVI2MrtX7on8trfJToS5GkxrdX08e/R7LL3SIc0 zJ09qvyIF9Ghwn6B89UgoCM+W5lQ4bcVD3pm/cRPFlyvbBpxGYt3uK1o3CXttyQj dVTPtJTp9nSL7ymiUYhv6iFsaCM7rdTn4j2qiM3CsA7GSNgWkge5v9xEL1y+BujQ ==
X-ME-Sender: <xms:g2jMXeYiBlxi39PukG-z0X7kW1qSgoLQcZcq-k-qYUiDuneLpNxZeSSPDzg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudefuddgudegvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesth dtredtreertdenucfhrhhomhepfdfrrghtrhhitghkucfovghviigvkhdfuceophhmsegu ohhtrghnuggtohdrtghomheqnecurfgrrhgrmhepmhgrihhlfhhrohhmpehpmhesughoth grnhgutghordgtohhmnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:g2jMXTEbXOWNoxofsPCzkAmnV1huoE1JE4wcjL5Tmy7Oj1AHKKnRoQ> <xmx:g2jMXcZK0PRfXI71S5DYYRcYv_DlPewGA7g6eKIGUwPNAUIpg1mC7w> <xmx:g2jMXQew1FvGE97vp9bmr_y8iJeg78SeR0dnaZ8QGz3JFr2SY3zVyQ> <xmx:g2jMXS9pJD4y-0aveVgQ1yGdnhO1p41-JAaqwIDLYfNvLP6rrBwGJg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 7026AC200A4; Wed, 13 Nov 2019 15:33:07 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-557-g34fce02-fmstable-20191113v1
Mime-Version: 1.0
Message-Id: <185ec4cf-177c-4269-8670-e68e5a72e82f@www.fastmail.com>
In-Reply-To: <28ca30c867da482088214cb27268e50e@verisign.com>
References: <406eac6f-f908-4944-8f43-16df858b182f@www.fastmail.com> <78c95628e8f84901b7230f6674ee3120@verisign.com> <94e5e1f6-bd74-43ac-bef7-4d95ab91439e@www.fastmail.com> <28ca30c867da482088214cb27268e50e@verisign.com>
Date: Wed, 13 Nov 2019 15:32:47 -0500
From: Patrick Mevzek <pm@dotandco.com>
To: regext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/hYzDZKvrykcVWUtBjWP0IF61DrQ>
Subject: Re: [regext] draft-ietf-regexy-login-security
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 20:33:12 -0000
On Wed, Nov 13, 2019, at 15:13, Hollenbeck, Scott wrote: > I don't think that local storage of sensitive information, such as > passwords, is a *protocol* issue per se. It does make sense to note > that it's a bad idea to do that in the Security Considerations sections > of RFCs where passwords are exchanged as part of a protocol > interaction, but it's not an interoperability issue. An even better > idea is to recommend "better" practices in those Security > Considerations sections. It is not a protocol issue per se, but if the protocol is so designed that they are definitively not exchanged as plain text (even over a transport protecting them), then it becomes not an issue anymore at all, as there is no more sensitive information to deal with. One stone, two birds. Remember that the first step to secure information is just making sure you handle as little sensitive information as needed, and then secure the rest. Having clear text passwords at the protocol level is definitively not a MUST for the protocol to work correctly, the protocol could work with other ways to authenticate, eliminating the sensitive part of the information exchanged. -- Patrick Mevzek pm@dotandco.com
- [regext] draft-ietf-regexy-login-security Martin Thomson
- Re: [regext] draft-ietf-regexy-login-security Hollenbeck, Scott
- Re: [regext] draft-ietf-regexy-login-security Patrick Mevzek
- Re: [regext] draft-ietf-regexy-login-security Hollenbeck, Scott
- Re: [regext] draft-ietf-regexy-login-security Patrick Mevzek
- Re: [regext] draft-ietf-regexy-login-security Patrick Mevzek
- Re: [regext] draft-ietf-regexy-login-security Hollenbeck, Scott
- Re: [regext] draft-ietf-regexy-login-security Patrick Mevzek
- Re: [regext] draft-ietf-regexy-login-security Patrick Mevzek
- Re: [regext] draft-ietf-regexy-login-security Gould, James