IETF Logo Mail Archive

Re: [websec] [saag] Fwd: [http-auth] re-call for IETF http-auth BoF

Yutaka OIWA <y.oiwa@aist.go.jp> Thu, 23 June 2011 02:36 UTC

Return-Path: <yutaka-oiwa-aist-temp@g.oiwa.jp>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2FC31F0C41; Wed, 22 Jun 2011 19:36:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YaSTON1ZmomP; Wed, 22 Jun 2011 19:36:11 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 7C8A61F0C3D; Wed, 22 Jun 2011 19:36:10 -0700 (PDT)
Received: by wwe5 with SMTP id 5so1003860wwe.13 for <multiple recipients>; Wed, 22 Jun 2011 19:36:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.11.131 with SMTP id t3mr1375268wbt.113.1308796569317; Wed, 22 Jun 2011 19:36:09 -0700 (PDT)
Sender: yutaka@g.oiwa.jp
X-Google-Sender-Delegation: yutaka@g.oiwa.jp
Received: by 10.227.128.75 with HTTP; Wed, 22 Jun 2011 19:36:09 -0700 (PDT)
In-Reply-To: <53857.196.220.229.163.1308763299.squirrel@mail.unijos.edu.ng>
References: <trg0YszL9F4Q.471l1SVV@smtp.o2.co.uk> <BANLkTi=seeFm0F0TFoA9__uERg_F1L37Tg@mail.gmail.com> <E3C31DB7-6AAA-4EF0-BA5F-BBE7C7EA6EEA@w3.org> <08A16114-A59F-4EA7-906B-E1273C6A0100@gmail.com> <BANLkTikR9Ud5-yFzjYxu+V0vqcQCExyF4g@mail.gmail.com> <53857.196.220.229.163.1308763299.squirrel@mail.unijos.edu.ng>
Date: Thu, 23 Jun 2011 11:36:09 +0900
X-Google-Sender-Auth: NE7KstGKngNb65HXXwY67jWpyog
Message-ID: <BANLkTimChRk2mpKLTQ9Cg+6QKy0eaxcwpg@mail.gmail.com>
From: Yutaka OIWA <y.oiwa@aist.go.jp>
To: gogwim@unijos.edu.ng
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "http-auth@ietf.org" <http-auth@ietf.org>, "public-identity@w3.org" <public-identity@w3.org>, "websec@ietf.org" <websec@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [websec] [saag] Fwd: [http-auth] re-call for IETF http-auth BoF
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2011 02:36:11 -0000

2011/6/23 GOGWIM, JOEL GODWIN <gogwim@unijos.edu.ng>:
> Supported.
> Weak and predictable passwords should be avoided.

I ideally agree, but in reality I hesitate to agree with it
with technical means and backgrounds. In short, here is a security trade-off.

Of course, the statement "weak and predictable passwords should be avoided",
as literally, can be read as our requirements to users and agreed with
no questions.
However, the original thread was prepended with "Any protocols that allow".
For this purpose, the more the technology gets strong to protect "good
(unpredictable)"
passwords and passphrases against possible attacks, the more such a protocol
cannot reveal "weakness" of passwords to servers too.

To detect by the server side to detect predictable passwords using
bulky (e.g. 100k or 1M+) list, currently we need either a plain-text password
authentication protocol or a plain-text password registration procedure.
On the contrary, if we forgive users' "mistake" to use such a weak passwords
as user's own, we can introduce much stronger password
protocols which do not reveal (at least immediately) the user's password
both in registration and authentication time.
When we face with this trade-off, I don't want to trash out the
latter's possibility.

In this background, "forbidding protocols which allow users to (covertly) use
weak predictable passwords" means that "servers *always* know the user's
plain-text password", which is obviously not happy.
We don't want to completely sacrifice well-done user's security in trade with
the careless user's security.

Of course, even if we introduce such "secure" password registration protocol,
I foresee that some people will continue to stick on plain-text password
registration for various reasons.  For example, if a law had required
some servers
(e.g. financial entities) to check and reject such predictable passwords,
we would have no way to secure it.  For such purposes servers will
continue to receive raw passwords and computes password-hashes
(or whatever equivalent) on the server-side.
But I think that providing a possibility to securely registering passwords
to servers are one of required things to do for us.

But, again at last, I repeat to agree that "users" should avoid weak and
predictable passwords with no questions.

v2.38.3 | Report a Bug | By Email | System Status