Re: [regext] AD review for draft-ietf-regext-login-security-04
"Gould, James" <jgould@verisign.com> Tue, 05 November 2019 21:38 UTC
Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28831120B7E for <regext@ietfa.amsl.com>; Tue, 5 Nov 2019 13:38:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kHBRBWJyFgDs for <regext@ietfa.amsl.com>; Tue, 5 Nov 2019 13:38:01 -0800 (PST)
Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2233412095B for <regext@ietf.org>; Tue, 5 Nov 2019 13:38:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=5358; q=dns/txt; s=VRSN; t=1572989882; h=from:to:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=8Kxr8KcT+UuznHv3wK93WlPv7qKArj9On6IMntjJqLA=; b=czaN/AP9pXfqW78qw4oUtchhq9cELJ9VZDi+6Y6hkWkwoDzVmGoKB21e h2WpEgljEfYc8Ri8tvZoj2DYuJCJGZy7Mumma7TZld8hkN/T2dO1AYvjj yqJC3QCZJVBKi3mwSw3c4F7M6+b1h83Gs+18BIm7aRCzsWhZol2TKArE1 R+BwPNHWtSHG5CcVbWF0KxyXWbdK4DiThIsHAWNiPb5pavV+GWD3Gq5oG SXOD5iABCrowctyG3BXJpXS2JK25NjWoZ899mKSAyCSspjPhBGNifjG/c spH4WNdB4AtkD+Npt5V8ifpz8gq6TYg8OGvVIBOqw4bnTVT98Im+nG4k6 g==;
X-IronPort-AV: E=Sophos;i="5.68,271,1569297600"; d="scan'208";a="8632400"
IronPort-PHdr: 9a23:vghTYRLoj4BXzikBPdmcpTZWNBhigK39O0sv0rFitYgXKvr9rarrMEGX3/hxlliBBdydt6sfzbOP7uu5BDRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfL1/IA+roQnMtsQajpZuJ6YtxhDUvnZGZuNayH9yK1mOhRj8/MCw/JBi8yRUpf0s8tNLXLv5caolU7FWFSwqPG8p6sLlsxnDVhaP6WAHUmoKiBpIAhPK4w/8U5zsryb1rOt92C2dPc3rUbA5XCmp4ql3RBP0jioMKiU0+3/LhMNukK1boQqhpx1hzI7SfIGVL+d1cqfEcd8HWWZNQsNdWipPDYOma4sEEvQPM+BWoYLgo1cCtBqzCQyqCejyyDFHm2X20LU63eo/DA/GwAIuEdEAsHvWotr1NbsdX++6w6TT0TXMdPZW1Svh5IXScB0sp+yHU7JqccrWzEkiDw3JgFSXqYz4OzOay/wBuHWf4eV6UOKglXUnpw9sqTWoxMcshY7Jhp8Ryl/Z7ih53pg6Jce5SE5gYN6kH51QuzuGOItxR8MvWmdlszs0xL0BvJ60ZikKyJI/yh7BdfOHaYmI4gniVOaeJzd4hXRld66lixmu9kigz/XwVs+10FZRsipJiNbMtncT1xDL68iIVOd9/km71TaIzQDT5edJKl03m6rDM5Mt36I8moAOvUnBECL6glj6ga+Ye0k+9eWl6Pzrbqj6qpOGKoN5iB3yPr4zlsGwAuk0KBUCUmuD9eSyyrLu/lH1TbBPg/IskaTUtIvVKMEVq6KnHgBY04Mu5A27Ajqn0tkVmHcKIVxHdR2aiYXiJkvAL+riDfilhlShiDJrx/fbMbL/GpjNNX3DkKv5fbZ69k5c1BI/zdBB6JJQDbEMOO/+VFPputDFDhA3KwO6zOf7BNlgzI8eR36AAqiDMKPKq1OH/P8gL/OSZI8Pozb9LeIp6OLpjX88gVMdfK+p0oULaH2gA/hqP1+VbWfuj9oPC2sGowozQeLwhFCNUjNff3OyULg95jE/BoKmF4DDRoW1jbyD0ye7GYBWZmRbBV2XD3fnaZ+EW/YXaCKTLc9hlCYIWqSmS48kzR2urhP1y6J7LurI/S0VrYrj1N1u6uLOkhEy6SZ7D8KA3G6RSGF4hH8HRzgz3Kpnu0xy1k+D0bRkg/xfDdFT/e1GUggkOp/T0+x3ENHyVRzdfteHUlqmRc+mAT5iBu42lucHf1x8ENbqqx3dzSepS+sNkpSHA4A99K7X2D76IMMrjz6MzqQugkk6aspCKWPggbRwvUCHHYPGnlWFv6enaapa2zTCojSt122L6Qt3VxN0XeGNf3kaa1Cc5YD76UTfS7OGF7k9MxBAxsjEIaxPPI66xW5aTevubYyNK1m6nH29UFPRnu2B
X-IPAS-Result: A2FGAACK6sFd/zCZrQpjAxoBAQEBAQEBAQEDAQEBAREBAQECAgEBAQGBfoMMgTEKhB+RJINqlwEXHQgJAQEBAQEBAQEBBwEYCwwBAQKDeUUCF4QcOBMCDgEBAQQBAQEBAQUDAQEBAoYgDII7KQFiLwkBMgEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQUCCAcQJBkHECUSAQEeAQEBAwEBIRE6GwIBCA4KAgISAQESAgICJQsVEAIEARKDIgGDBrE+gTKEOQEDAQKBDoRygQ4ojCyBQT6BEScfgkw+gmIBAQKBXxcKJgECBYJBMoIsBI1FgjedegMHgiSHFYkphRmDLpY7jkOHL10ijWmDRQIEAgQFAhWBaYF7cBU7KgGCQQlHERSGeYF/gxWFP3QBDCSPJQ0VgQ2BDgEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Tue, 5 Nov 2019 16:37:58 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Tue, 5 Nov 2019 16:37:58 -0500
From: "Gould, James" <jgould@verisign.com>
To: Patrick Mevzek <pm@dotandco.com>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] AD review for draft-ietf-regext-login-security-04
Thread-Index: AQHVjo0/NonxcYWQe0mJc3tyCLYHV6dyQcOAgAlNf4CAAZY4AA==
Date: Tue, 05 Nov 2019 21:37:58 +0000
Message-ID: <91FC7392-CF86-45E8-9E52-00089ABBEA28@verisign.com>
References: <DAB825B6-F9BA-4B39-9273-1FA4DCE53882@verisign.com> <CALaySJJx4u1271WdEaD=BA1adRkHe1URWaqXBb7YKoPBo9rG9Q@mail.gmail.com> <c8913828-7705-4227-a938-253ad2c0a63c@www.fastmail.com>
In-Reply-To: <c8913828-7705-4227-a938-253ad2c0a63c@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.f.191014
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <E24F1388B51A444AB84DFFA729831203@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/ubX-egp9xJFwNaQwv674WlXbnx8>
Subject: Re: [regext] AD review for draft-ietf-regext-login-security-04
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 21:38:04 -0000
Patrick, The trimming and collapsing of whitespace in draft-ietf-regext-login-security is a feature of the XML schema “token” type that exists today based on what’s defined in RFC 5730. There is no issue with complying with the NIST recommendation, where the use of the trimming and collapsing of the XML schema "token" type is needed to address XML formatting issues (e.g., XML pretty printing). Multiple consecutive space characters will be replaced with a single character by the XML parser. I don't see the applicability of PRECIS for draft-ietf-regext-login-security. Thanks, -- JG James Gould Distinguished Engineer jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com> 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 11/4/19, 11:26 AM, "regext on behalf of Patrick Mevzek" <regext-bounces@ietf.org on behalf of pm@dotandco.com> wrote: On Tue, Oct 29, 2019, at 14:20, Barry Leiba wrote: > Jim, thanks for accepting most of my edits and for addressing my > question about the password characters. It just seems odd to me that > you can't use << my#x20#x20#x20pw >> as a password, but you can use, > say, << my#x20#xA0#x20pw >> (or any of a number of other variations > with other Unicode space characters. But the reason sounds... > reasonable, so: post a rev and I'll last-call it. As a data point, the current NIST recommendations on passwords: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well. To make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior to verification, provided that the result is at least 8 characters in length. Truncation of the secret SHALL NOT be performed. For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character. </quote> Note the "MAY replace multiple consecutive space characters". Also, as I hinted in the past during discussion on this extension, the whole area of "internationalized" identifiers, such as usernames and passwords has been explored in the PRECIS ("Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols") set of RFCs, and specifically RFC 8265 "Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords". In short it defines an "OpaqueString" profile, to be applied for passwords. Among other things it has this: . Additional Mapping Rule: Any instances of non-ASCII space MUST be mapped to SPACE (U+0020); a non-ASCII space is any Unicode code point having a Unicode general category of "Zs", with the exception of SPACE (U+0020). As was the case in RFC 4013, the inclusion of only SPACE (U+0020) prevents confusion with various non-ASCII space code points, many of which are difficult to reproduce across different input methods. (note also RFC8264 §5.3 for a discussion about spaces) I am still of the opinion that we should have used/referenced that work more. -- Patrick Mevzek pm@dotandco.com _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
- [regext] Publication has been requested for draft… James Galvin via Datatracker
- [regext] AD review for draft-ietf-regext-login-se… Barry Leiba
- Re: [regext] AD review for draft-ietf-regext-logi… Gould, James
- Re: [regext] AD review for draft-ietf-regext-logi… Barry Leiba
- Re: [regext] AD review for draft-ietf-regext-logi… Patrick Mevzek
- Re: [regext] AD review for draft-ietf-regext-logi… Gould, James
- Re: [regext] AD review for draft-ietf-regext-logi… Patrick Mevzek