XMPP Council - 2020-05-07

  1. pep.

    SamWhited, reading https://www.ietf.org/id/draft-whited-kitten-password-storage-02.html, why the use of PRECIS? That seems like convenience and rather opposed to security

  2. pep.

    Do I understand correctly that the goal is to canonicalize unicode?

  3. pep.

    Do I understand correctly that the goal is to normalize unicode?

  4. pep.

    Not saying there is no advantages to do normalization, just curious if it's aligned with the goals of the RFC. It is indeed titled "best practices" and not "most secure" (or similar), but then security is mentioned everywhere else in the document

  5. pep.

    Also I'm genuinely curious how not doing normalization for passwords can lead to security issues

  6. pep.

    The rest is probably too technical for me, sorry :P

  7. pep.

    I'm no crypto person

  8. pep.

    -> s/ a users identity\./ a user's identity\./

  9. SamWhited

    No worries about reviewing the hashes and stuff, thanks for the suggestion and correction! You're right that PRECIS isn't *really* much of a security mechanism, but it stops users from locking themselves out of their accounts so I think it's a best practice. You may be right, I'm not sure if it belongs in this document or not. Hopefully there will be discussion on list about that

  10. pep.

    Maybe it just wasn't obvious enough to me reading the section that this was a convenience thing. Well.. I can see how locking yourself out can lead to security issues maybe :x

  11. pep.

    Writing that down on paper (even though I'm sure they'd do it anyway), calling some phone number/sending an email to get your password back and giving your old password to somebody, etc. etc.

  12. SamWhited

    Locking yourself out in the sense that if you type your password for the first time on a keyboard that spits out a full-width character, or a non-ASCII space, but all your keyboard layouts spit out ASCII space or the half-width version of the character, you're stuck :)

  13. pep.

    I haven't been in this case, even though I've lived in a CJK country for a few years :p

  14. pep.

    But then I'm certainly not your target

  15. SamWhited

    Yah, I don't know how common it actually is

  16. SamWhited

    Fixed the typo on my personal copy (not yet uploaded to the IETF site until I get a few more changes in); thanks! https://rfcs.samwhited.com/draft-whited-kitten-password-storage-03.html

  17. pep.


  18. Zash

    We use SASLprep now so seems a natural step.

  19. dwd

    SamWhited, Simon Josefsson is absolutely the best person to talk about channel bindings, indeed.

  20. Zash

    Do they into XMPP?

  21. dwd

    I don't actually know.

  22. MattJ

    Simon was on XMPP at some point in the past, and ran his own server

  23. MattJ

    No idea if that's still the case

  24. SamWhited

    Oh nifty, in his reply he mentioned that it would be nice to have a method for negotiating CB at some point but not to worry about it yet and focus on the new I-D, but I went ahead and sent him the protoxep and said we'd love his feedback if he wanted to join the list, maybe he'll be more inclined to do so then.