XMPP Council - 2020-05-07

  1. pep.

    SamWhited, reading https://www.ietf.org/id/draft-whited-kitten-password-storage-02.html, why the use of PRECIS? That seems like convenience and rather opposed to security

  2. pep.

    Do I understand correctly that the goal is to canonicalize unicode?

  3. pep.

    Do I understand correctly that the goal is to normalize unicode?

  4. pep.

    Not saying there is no advantages to do normalization, just curious if it's aligned with the goals of the RFC. It is indeed titled "best practices" and not "most secure" (or similar), but then security is mentioned everywhere else in the document

  5. pep.

    Also I'm genuinely curious how not doing normalization for passwords can lead to security issues

  6. pep.

    The rest is probably too technical for me, sorry :P

  7. pep.

    I'm no crypto person

  8. pep.

    -> s/ a users identity\./ a user's identity\./

  9. SamWhited

    No worries about reviewing the hashes and stuff, thanks for the suggestion and correction! You're right that PRECIS isn't *really* much of a security mechanism, but it stops users from locking themselves out of their accounts so I think it's a best practice. You may be right, I'm not sure if it belongs in this document or not. Hopefully there will be discussion on list about that

  10. pep.

    Maybe it just wasn't obvious enough to me reading the section that this was a convenience thing. Well.. I can see how locking yourself out can lead to security issues maybe :x

  11. pep.

    Writing that down on paper (even though I'm sure they'd do it anyway), calling some phone number/sending an email to get your password back and giving your old password to somebody, etc. etc.

  12. SamWhited

    Locking yourself out in the sense that if you type your password for the first time on a keyboard that spits out a full-width character, or a non-ASCII space, but all your keyboard layouts spit out ASCII space or the half-width version of the character, you're stuck :)

  13. pep.

    I haven't been in this case, even though I've lived in a CJK country for a few years :p

  14. pep.

    But then I'm certainly not your target

  15. SamWhited

    Yah, I don't know how common it actually is

  16. SamWhited

    Fixed the typo on my personal copy (not yet uploaded to the IETF site until I get a few more changes in); thanks! https://rfcs.samwhited.com/draft-whited-kitten-password-storage-03.html

  17. pep.


  18. Wojtek has left

  19. daniel has left

  20. daniel has joined

  21. stpeter has left

  22. stpeter has joined

  23. stpeter has left

  24. daniel has left

  25. daniel has joined

  26. stpeter has joined

  27. stpeter has left

  28. SouL has joined

  29. Tobias has joined

  30. stpeter has joined

  31. stpeter has left

  32. sonny has joined

  33. sonny has left

  34. sonny has joined

  35. daniel has left

  36. daniel has joined

  37. Zash

    We use SASLprep now so seems a natural step.

  38. bear has left

  39. Zash has left

  40. Zash has joined

  41. stpeter has joined

  42. stpeter has left

  43. vanitasvitae has left

  44. vanitasvitae has joined

  45. larma has left

  46. larma has joined

  47. bear has joined

  48. sonny has left

  49. sonny has joined

  50. sonny has left

  51. sonny has joined

  52. dwd

    SamWhited, Simon Josefsson is absolutely the best person to talk about channel bindings, indeed.

  53. Zash

    Do they into XMPP?

  54. dwd

    I don't actually know.

  55. debacle has joined

  56. debacle has left

  57. debacle has joined

  58. kusoneko has left

  59. kusoneko has joined

  60. robertooo has joined

  61. stpeter has joined

  62. stpeter has left

  63. sonny has left

  64. sonny has joined

  65. sonny has left

  66. sonny has joined

  67. stpeter has joined

  68. debacle has left

  69. sonny has left

  70. sonny has joined

  71. sonny has left

  72. sonny has joined

  73. stpeter has left

  74. kusoneko has left

  75. kusoneko has joined

  76. kusoneko has left

  77. kusoneko has joined

  78. debacle has joined

  79. MattJ

    Simon was on XMPP at some point in the past, and ran his own server

  80. MattJ

    No idea if that's still the case

  81. SamWhited

    Oh nifty, in his reply he mentioned that it would be nice to have a method for negotiating CB at some point but not to worry about it yet and focus on the new I-D, but I went ahead and sent him the protoxep and said we'd love his feedback if he wanted to join the list, maybe he'll be more inclined to do so then.

  82. stpeter has joined

  83. stpeter has left

  84. debacle has left

  85. sonny has left

  86. sonny has joined

  87. sonny has left

  88. sonny has joined

  89. debacle has joined

  90. stpeter has joined

  91. daniel has left

  92. daniel has joined

  93. Holger has left

  94. bear has left

  95. debacle has left

  96. bear has joined

  97. kusoneko has left

  98. kusoneko has joined

  99. sonny has left

  100. sonny has joined

  101. kusoneko has left

  102. kusoneko has joined

  103. Wojtek has joined

  104. kusoneko has left

  105. kusoneko has joined

  106. kusoneko has left

  107. kusoneko has joined

  108. Holger has joined

  109. debacle has joined

  110. sonny has left

  111. sonny has joined

  112. sonny has left

  113. sonny has joined

  114. Kev has joined

  115. daniel has left

  116. daniel has joined

  117. kusoneko has left

  118. kusoneko has joined

  119. kusoneko has left

  120. kusoneko has joined

  121. Kev has left

  122. Kev has joined

  123. Tobias has left

  124. robertooo has left

  125. robertooo has joined

  126. daniel has left

  127. daniel has joined

  128. daniel has left

  129. Zash has left

  130. daniel has joined

  131. daniel has left

  132. daniel has joined

  133. sonny has left

  134. sonny has joined

  135. sonny has left

  136. sonny has joined