Re: [secdir] [precis] Secdir last call review of draft-ietf-precis-7613bis-07

Peter Saint-Andre <stpeter@stpeter.im> Mon, 26 June 2017 17:40 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DE1812EB23; Mon, 26 Jun 2017 10:40:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=bZcLCKc7; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=CcSscp/j
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xm6fGjvlM8pN; Mon, 26 Jun 2017 10:40:11 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A7C112EB1C; Mon, 26 Jun 2017 10:40:11 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id C0550209CE; Mon, 26 Jun 2017 13:40:10 -0400 (EDT)
Received: from frontend1 ([10.202.2.160]) by compute2.internal (MEProxy); Mon, 26 Jun 2017 13:40:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=vQIIuXe5RL6q2vFTsY PaX/mPzkv0XUl1x6nMryZ8xT8=; b=bZcLCKc7xbLeYzWWv9GPEtv2vXkB3JiDk5 KGzpY5fbk7x2N6Epl7g5xPAeAbHkvXCSuavi+EtrqD3fPlYaJBLNLSgakQ82zEFt d/b2UczV/JEBYysQJ69iM8cPv/ifltGV7WmEkVV2Xg2gyTRS1vavMrhQa3lnYm/y emA1ZrwYYTri0TkY+JLzdZZyIWBimssDR7Gl9BiX6sdWpkEZKC9Ohp5dtKxdWVu+ qWHGJPsEydToxluFez3UZ6fNDdqSflqkVkNx9R/xAyazHsjv9ZIP3i60SgUffxjB RlKPI356wkhx8ScG1nY2FmTlvKvGVmURIW2CLnek3Z+aPdzgy8DA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s= fm1; bh=vQIIuXe5RL6q2vFTsYPaX/mPzkv0XUl1x6nMryZ8xT8=; b=CcSscp/j AXtO09Tlzji5eypBWld9ee+0V8Tkd9EkMtxf6/LT4RW4l+sgHSa8+9RoFGu2g13n xmKwS6T2GFHrwta4k3VDskieWjKAIndNx3g3NpoG+o18UCM8my+YXELWyG5/Q9XA 6avhSfZ68eacX3wCXtU6VTYK0fCp4JKdcZTAimwFhlqqpJvhO42pPX1lsG1ZUO6+ famef+AGFW2+LqrQ5S62DD4bk6wWx5RGc432ow4rnPjEAIy9qDO0GTMfUSXrXMLt SDSaUKu2GhUuDAqZ6XTUlVkVRb5uF772pml5FkKsMxyg6/QW2MwTK3tagQ/dR2Fg R3DbTkHAI3m24A==
X-ME-Sender: <xms:-kZRWUkLtXxMnfTgI2cnIs3n0K2wmnLb0YeHv7SRC4Q7LqffMCSbsg>
X-Sasl-enc: 0xAl+sTZiWwGlOBv3TGYng8gKq6Gc1Cq0dD58WG0syVo 1498498810
Received: from aither.local (c-98-245-40-52.hsd1.co.comcast.net [98.245.40.52]) by mail.messagingengine.com (Postfix) with ESMTPA id 10BC87E760; Mon, 26 Jun 2017 13:40:09 -0400 (EDT)
To: Joseph Salowey <joe@salowey.net>, secdir@ietf.org
References: <149845620057.31750.11952736688634266964@ietfa.amsl.com>
Cc: draft-ietf-precis-7613bis.all@ietf.org, iesg@ietf.org, precis@ietf.org
From: Peter Saint-Andre <stpeter@stpeter.im>
Message-ID: <18393d54-4882-e3f3-a0b0-7af814d51f65@stpeter.im>
Date: Mon, 26 Jun 2017 11:40:08 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <149845620057.31750.11952736688634266964@ietfa.amsl.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/5Gb8npg87CMJhC6IXiBEkpCEixM>
Subject: Re: [secdir] [precis] Secdir last call review of draft-ietf-precis-7613bis-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jun 2017 17:40:14 -0000

Hi Joe, thanks for the review. Comments inline.

On 6/25/17 11:50 PM, Joseph Salowey wrote:
> Reviewer: Joseph Salowey
> Review result: Has Nits
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> The summary of the review is document is ready with nits.
> 
> This document is an update to RFC 7613.   A few Minor comments:
> 
> 1.  I think it would be good to show the zero-length password is not allowed in
> table 4 (18 | <> | zero-length password).   There are lots of cases where
> allowing zero-length passwords has led to problems.  Disallowing zero-length
> passwords is helpful.

Good point - we'll add that.

> 2.  Comparisons of passwords is a touchy subject.   I can't think of a case
> where it would be preferable to do a direct password comparison.   In most
> cases the comparison will be done against a salted-hashed transform of the
> password or involve some other cryptographic operation.   I think it would be
> good to discuss this briefly in the security considerations section, sample
> text below
> 
> "Password Comparison
> 
> Verification of passwords during authentication will not use the comparison
> defined in section 4.2.3.   Instead cryptographic calculations are performed to
> verify the password.   In most cases the password will be prepared as in
> section 4.2.1 and meet the rules enforced in section 4.2.2 before the
> calculations are performed."

That's helpful - thanks for the suggested test. A forward pointer from
Section 4.2.3 also seems desirable.

Peter