SamWhited, reading https://www.ietf.org/id/draft-whited-kitten-password-storage-02.html, why the use of PRECIS? That seems like convenience and rather opposed to security
pep.
Do I understand correctly that the goal is to canonicalize unicode?✎
pep.
Do I understand correctly that the goal is to normalize unicode? ✏
pep.
Not saying there is no advantages to do normalization, just curious if it's aligned with the goals of the RFC. It is indeed titled "best practices" and not "most secure" (or similar), but then security is mentioned everywhere else in the document
pep.
Also I'm genuinely curious how not doing normalization for passwords can lead to security issues
pep.
The rest is probably too technical for me, sorry :P
pep.
I'm no crypto person
pep.
-> s/ a users identity\./ a user's identity\./
SamWhited
No worries about reviewing the hashes and stuff, thanks for the suggestion and correction! You're right that PRECIS isn't *really* much of a security mechanism, but it stops users from locking themselves out of their accounts so I think it's a best practice. You may be right, I'm not sure if it belongs in this document or not. Hopefully there will be discussion on list about that
pep.
Maybe it just wasn't obvious enough to me reading the section that this was a convenience thing. Well.. I can see how locking yourself out can lead to security issues maybe :x
pep.
Writing that down on paper (even though I'm sure they'd do it anyway), calling some phone number/sending an email to get your password back and giving your old password to somebody, etc. etc.
SamWhited
Locking yourself out in the sense that if you type your password for the first time on a keyboard that spits out a full-width character, or a non-ASCII space, but all your keyboard layouts spit out ASCII space or the half-width version of the character, you're stuck :)
pep.
I haven't been in this case, even though I've lived in a CJK country for a few years :p
pep.
But then I'm certainly not your target
SamWhited
Yah, I don't know how common it actually is
SamWhited
Fixed the typo on my personal copy (not yet uploaded to the IETF site until I get a few more changes in); thanks! https://rfcs.samwhited.com/draft-whited-kitten-password-storage-03.html
pep.
:)
Wojtekhas left
danielhas left
danielhas joined
stpeterhas left
stpeterhas joined
stpeterhas left
danielhas left
danielhas joined
stpeterhas joined
stpeterhas left
SouLhas joined
Tobiashas joined
stpeterhas joined
stpeterhas left
sonnyhas joined
sonnyhas left
sonnyhas joined
danielhas left
danielhas joined
Zash
We use SASLprep now so seems a natural step.
bearhas left
Zashhas left
Zashhas joined
stpeterhas joined
stpeterhas left
vanitasvitaehas left
vanitasvitaehas joined
larmahas left
larmahas joined
bearhas joined
sonnyhas left
sonnyhas joined
sonnyhas left
sonnyhas joined
dwd
SamWhited, Simon Josefsson is absolutely the best person to talk about channel bindings, indeed.
Zash
Do they into XMPP?
dwd
I don't actually know.
debaclehas joined
debaclehas left
debaclehas joined
kusonekohas left
kusonekohas joined
robertooohas joined
stpeterhas joined
stpeterhas left
sonnyhas left
sonnyhas joined
sonnyhas left
sonnyhas joined
stpeterhas joined
debaclehas left
sonnyhas left
sonnyhas joined
sonnyhas left
sonnyhas joined
stpeterhas left
kusonekohas left
kusonekohas joined
kusonekohas left
kusonekohas joined
debaclehas joined
MattJ
Simon was on XMPP at some point in the past, and ran his own server
MattJ
No idea if that's still the case
SamWhited
Oh nifty, in his reply he mentioned that it would be nice to have a method for negotiating CB at some point but not to worry about it yet and focus on the new I-D, but I went ahead and sent him the protoxep and said we'd love his feedback if he wanted to join the list, maybe he'll be more inclined to do so then.