IETF Logo Mail Archive

Re: [regext] AD review for draft-ietf-regext-login-security-04

"Patrick Mevzek" <pm@dotandco.com> Mon, 04 November 2019 16:26 UTC

Return-Path: <pm@dotandco.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 205BD12087C for <regext@ietfa.amsl.com>; Mon, 4 Nov 2019 08:26:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dotandco.com header.b=sS5HYMk4; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=rfG1w9wN
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B3y3dux-K7rf for <regext@ietfa.amsl.com>; Mon, 4 Nov 2019 08:26:04 -0800 (PST)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 846041208E8 for <regext@ietf.org>; Mon, 4 Nov 2019 08:26:04 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 86F24600 for <regext@ietf.org>; Mon, 4 Nov 2019 11:26:03 -0500 (EST)
Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Mon, 04 Nov 2019 11:26:03 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dotandco.com; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm1; bh=r/cVM PXDdQa0Wm2xMXwrOH0wd6slGf3wSq2qewB+I4g=; b=sS5HYMk4mZZxThJGobR6D HOJAG/ejYuyXadBrMXnZEOlOsDMReBnKxbeNq4hpDJkqfyLF/wkIYqYxpp9ceEAl Dmlou/AMDPk/B4/x8mp/00kg1Ur/s1+qhgQ2hZH4+HMkbz0OPMXGQLiHwN4LkyLR /yvBO23UU/7CRZI9REuRfHahBck7gugp5zJjdHgX5pp1Vmzn8aGnawiEb1pE0RVi zOkTXZxiVwNcV+z8uwIg5yz8AayhFJAptsvp3+vYVbrUnlRCj29EkebW78qDn8WN 0Vn2be+ttSwXS69cHkLNOBCCBRgICmKKI86u0EtMt3y9CvEKrkiGLcmf7aMx3u1y A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=r/cVMPXDdQa0Wm2xMXwrOH0wd6slGf3wSq2qewB+I 4g=; b=rfG1w9wNxWEZg44qv4RkeHo0pB6F1HRalaiW7YfwQNTYMbkEdbWUR1dt5 6wfWz8VqLdbjpRaWggWAy4VT0M5EeM4Cv2S37JCe44yBzTdV/z3fsDiuMAmqsFkL Ml8vggkIhS/xkhakGGbL8TmJK32+DIwyKS9EYxXXXWRfmb2HiulB7e0FkNYsbmjA k6S+OFwMUDn6DJ3XLn0prlaL2DVfV70x2XvHM7yAl7LXJqNEftgYKq4yCzfQXzCX IJWiOZUGPmy07Mm/nenwhjGXJxKV/zrOpBuigA+TunlLL+fOsAjfOFwLYW5ABrHW F+yA7GUHgWAMzjwuAvFOHpiOgv9qg==
X-ME-Sender: <xms:GlHAXVRqoWJz-Y4BPHyGW_sOLw8b5EqLq0pMQHCgpnGWYvxb0mOvqL6reWU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedruddufedgkeelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucgfrhhlucfvnfffucdlqddutddmnecujfgurhepof gfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfrfgrthhrihgtkhcu ofgvvhiivghkfdcuoehpmhesughothgrnhgutghordgtohhmqeenucffohhmrghinhepnh hishhtrdhgohhvnecurfgrrhgrmhepmhgrihhlfhhrohhmpehpmhesughothgrnhgutgho rdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:GlHAXXhZ2n5b36jlj7-h94-b9EbRMRTRxaH5vI-tY4oHNqeiF2-M3w> <xmx:GlHAXZgHmQR6Mpr9diyU55dnJ31si1WS3zm1nvbTvxdHvkLRKCZ0Sw> <xmx:GlHAXfZiNaTBGl_kb8wzgc_Y5I8NmtYli5zzMWqAGni2ILv4k5quMg> <xmx:G1HAXfwyINKClYsodQJGqVJk-DZMcaqWcGWc5X1ETvfQHQf5gMB0fg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id A5EDFC200A4; Mon, 4 Nov 2019 11:26:02 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-509-ge3ec61c-fmstable-20191030v1
Mime-Version: 1.0
Message-Id: <c8913828-7705-4227-a938-253ad2c0a63c@www.fastmail.com>
In-Reply-To: <CALaySJJx4u1271WdEaD=BA1adRkHe1URWaqXBb7YKoPBo9rG9Q@mail.gmail.com>
References: <DAB825B6-F9BA-4B39-9273-1FA4DCE53882@verisign.com> <CALaySJJx4u1271WdEaD=BA1adRkHe1URWaqXBb7YKoPBo9rG9Q@mail.gmail.com>
Date: Mon, 04 Nov 2019 11:24:03 -0500
From: Patrick Mevzek <pm@dotandco.com>
To: regext@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/rZxCYvHB9ojhEZxAE6gtRDErJU0>
Subject: Re: [regext] AD review for draft-ietf-regext-login-security-04
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 16:26:08 -0000


On Tue, Oct 29, 2019, at 14:20, Barry Leiba wrote:
> Jim, thanks for accepting most of my edits and for addressing my 
> question about the password characters. It just seems odd to me that 
> you can't use << my#x20#x20#x20pw >> as a password, but you can use, 
> say, << my#x20#xA0#x20pw >> (or any of a number of other variations 
> with other Unicode space characters. But the reason sounds... 
> reasonable, so: post a rev and I'll last-call it.

As a data point, the current NIST recommendations on passwords:
https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver

Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well. To make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior to verification, provided that the result is at least 8 characters in length. Truncation of the secret SHALL NOT be performed. For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character.
</quote>

Note the "MAY replace multiple consecutive space characters".

Also, as I hinted in the past during discussion on this extension, the whole area of "internationalized" identifiers,
such as usernames and passwords has been explored in the PRECIS ("Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols") set of RFCs,
and specifically RFC 8265 "Preparation, Enforcement, and Comparison of Internationalized Strings
Representing Usernames and Passwords".
In short it defines an "OpaqueString" profile, to be applied for passwords.
Among other things it has this:
.  Additional Mapping Rule: Any instances of non-ASCII space MUST be
       mapped to SPACE (U+0020); a non-ASCII space is any Unicode code
       point having a Unicode general category of "Zs", with the
       exception of SPACE (U+0020).  As was the case in RFC 4013, the
       inclusion of only SPACE (U+0020) prevents confusion with various
       non-ASCII space code points, many of which are difficult to
       reproduce across different input methods.

(note also RFC8264 §5.3 for a discussion about spaces)

I am still of the opinion that we should have used/referenced that work more.


-- 
  Patrick Mevzek
  pm@dotandco.com

v2.23.0 | Report a Bug | By Email