Adding Support for Salted Password Databases to EAP-pwd
draft-harkins-salted-eap-pwd-08
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2017-04-19
|
08 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2017-03-31
|
08 | (System) | RFC Editor state changed to AUTH48 from EDIT |
2017-03-02
|
08 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2017-03-01
|
08 | (System) | IANA Action state changed to Waiting on RFC Editor from Waiting on Authors |
2017-02-27
|
08 | (System) | IANA Action state changed to Waiting on Authors |
2017-02-24
|
08 | (System) | RFC Editor state changed to EDIT |
2017-02-24
|
08 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2017-02-24
|
08 | (System) | Announcement was received by RFC Editor |
2017-02-23
|
08 | Cindy Morgan | IESG state changed to Approved-announcement sent from Approved-announcement to be sent::AD Followup |
2017-02-23
|
08 | Cindy Morgan | IESG has approved the document |
2017-02-23
|
08 | Cindy Morgan | Closed "Approve" ballot |
2017-02-23
|
08 | Cindy Morgan | Ballot approval text was generated |
2016-11-23
|
08 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2016-11-23
|
08 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2016-11-23
|
08 | Dan Harkins | New version available: draft-harkins-salted-eap-pwd-08.txt |
2016-11-23
|
08 | (System) | New version approved |
2016-11-23
|
08 | (System) | Request for posting confirmation emailed to previous authors: "Dan Harkins" |
2016-11-23
|
08 | Dan Harkins | Uploaded new revision |
2016-11-10
|
07 | Tero Kivinen | Closed request for Telechat review by SECDIR with state 'No Response' |
2016-11-03
|
07 | Cindy Morgan | IESG state changed to Approved-announcement to be sent::Revised I-D Needed from IESG Evaluation |
2016-11-03
|
07 | Jari Arkko | [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko |
2016-11-02
|
07 | Joel Jaeggli | [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli |
2016-11-02
|
07 | Alia Atlas | [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas |
2016-11-02
|
07 | Ben Campbell | [Ballot comment] The abbreviated title on the top of pages after the first is "Abbreviated Title " :-) |
2016-11-02
|
07 | Ben Campbell | [Ballot Position Update] New position, No Objection, has been recorded for Ben Campbell |
2016-11-02
|
07 | (System) | IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed |
2016-11-02
|
07 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2016-11-02
|
07 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2016-11-02
|
07 | Suresh Krishnan | [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan |
2016-11-01
|
07 | Terry Manderson | [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson |
2016-11-01
|
07 | Stephen Farrell | [Ballot comment] Thanks for the secdir discussion - it was thorough and lead to good changes being made. (It took me longer to read that … [Ballot comment] Thanks for the secdir discussion - it was thorough and lead to good changes being made. (It took me longer to read that thread than the document:-) I do think that some of the text doesn't flow as well as a result of all those edits though, maybe a pass to improve that would be good. (Though it is clear enough now for implementers I think.) Figure 1 means that implementing this requires changes to the innards of your EAP-PWD implementation. It might be nice to a random implementer (if there are some) to provide that hint by saying this updates 7664. I like Mirja's suggestion - that RECOMMENDED is a bit buried right now. (Even if the main concern here is not new DB records.) I'd also note that it's possible to switch to a new alg on a per-record and not per-DB basis, if one's implementation allows, so you could also encourage that. (Well, unless EAP-PWD prevents it somehow but I'd be surprised if it did.) |
2016-11-01
|
07 | Stephen Farrell | [Ballot Position Update] New position, No Objection, has been recorded for Stephen Farrell |
2016-11-01
|
07 | Alexey Melnikov | [Ballot Position Update] New position, No Objection, has been recorded for Alexey Melnikov |
2016-11-01
|
07 | Alissa Cooper | [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper |
2016-10-31
|
07 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2016-10-30
|
07 | Mirja Kühlewind | [Ballot comment] Maybe put the folling warning also more clearly at the beginning of the doc or even in the abstract: "Plain salting techniques are … [Ballot comment] Maybe put the folling warning also more clearly at the beginning of the doc or even in the abstract: "Plain salting techniques are included for support of existing databases. scrypt and PBKDF2 techniques are RECOMMENDED for new password database deployments." |
2016-10-30
|
07 | Mirja Kühlewind | [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind |
2016-10-28
|
07 | Kathleen Moriarty | Ballot has been issued |
2016-10-28
|
07 | Kathleen Moriarty | [Ballot Position Update] New position, Yes, has been recorded for Kathleen Moriarty |
2016-10-28
|
07 | Kathleen Moriarty | Created "Approve" ballot |
2016-10-28
|
07 | Kathleen Moriarty | Ballot writeup was changed |
2016-10-28
|
07 | Kathleen Moriarty | IESG state changed to IESG Evaluation from Waiting for AD Go-Ahead |
2016-10-27
|
07 | Tero Kivinen | Request for Telechat review by SECDIR is assigned to Simon Josefsson |
2016-10-27
|
07 | Tero Kivinen | Request for Telechat review by SECDIR is assigned to Simon Josefsson |
2016-10-25
|
07 | Dale Worley | Request for Telechat review by GENART Completed: Ready. Reviewer: Dale Worley. |
2016-10-22
|
07 | Kathleen Moriarty | Telechat date has been changed to 2016-11-03 from 2016-10-27 |
2016-10-20
|
07 | Jean Mahoney | Request for Telechat review by GENART is assigned to Dale Worley |
2016-10-20
|
07 | Jean Mahoney | Request for Telechat review by GENART is assigned to Dale Worley |
2016-10-19
|
07 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2016-10-19
|
07 | Dan Harkins | New version available: draft-harkins-salted-eap-pwd-07.txt |
2016-10-19
|
07 | (System) | New version approved |
2016-10-19
|
06 | (System) | Request for posting confirmation emailed to previous authors: "Dan Harkins" |
2016-10-19
|
06 | Dan Harkins | Uploaded new revision |
2016-10-15
|
06 | Dale Worley | Request for Telechat review by GENART Completed: Ready with Nits. Reviewer: Dale Worley. |
2016-10-14
|
06 | Tero Kivinen | Closed request for Telechat review by SECDIR with state 'Withdrawn' |
2016-10-14
|
06 | Tero Kivinen | Request for Telechat review by SECDIR is assigned to Rifaat Shekh-Yusef |
2016-10-14
|
06 | Tero Kivinen | Request for Telechat review by SECDIR is assigned to Rifaat Shekh-Yusef |
2016-10-09
|
06 | Kathleen Moriarty | Telechat date has been changed to 2016-10-27 from 2016-10-13 |
2016-10-07
|
06 | Kathleen Moriarty | Notification list changed to "Stefan Winter" <stefan.winter@restena.lu>, dharkins@arubanetworks.com from "Stefan Winter" <stefan.winter@restena.lu> |
2016-10-06
|
06 | Jean Mahoney | Request for Telechat review by GENART is assigned to Dale Worley |
2016-10-06
|
06 | Jean Mahoney | Request for Telechat review by GENART is assigned to Dale Worley |
2016-10-05
|
06 | Gunter Van de Velde | Request for Last Call review by OPSDIR Completed: Has Nits. Reviewer: Mahesh Jethanandani. |
2016-09-26
|
06 | Sabrina Tanamal | IANA Review state changed to IANA OK - Actions Needed from IANA - Not OK |
2016-09-22
|
06 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Has Issues. Reviewer: Simon Josefsson. |
2016-09-22
|
06 | Kathleen Moriarty | Ballot writeup was changed |
2016-09-22
|
06 | (System) | IESG state changed to Waiting for AD Go-Ahead from In Last Call |
2016-09-21
|
06 | Kathleen Moriarty | Ballot writeup was changed |
2016-09-21
|
06 | Kathleen Moriarty | Changed consensus to Yes from Unknown |
2016-09-21
|
06 | Kathleen Moriarty | Placed on agenda for telechat - 2016-10-13 |
2016-09-20
|
06 | (System) | IANA Review state changed to IANA - Not OK from IANA - Review Needed |
2016-09-20
|
06 | Sabrina Tanamal | (Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs: IANA has completed its review of draft-harkins-salted-eap-pwd-06.txt. If any part of this review is inaccurate, please let us know. IANA … (Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs: IANA has completed its review of draft-harkins-salted-eap-pwd-06.txt. If any part of this review is inaccurate, please let us know. IANA understands that, upon approval of this document, there is a single action which IANA must complete. In the Password Preprocessing Methods subregistry of the EAP-pwd Parameters registry located at: https://www.iana.org/assignments/eap-pwd-parameters/ Eight new values are to be registered as follows: Value: [ TBD-at-registration ] Name: Random salt with SHA-1 Reference: [ RFC-to-be ] Value: [ TBD-at-registration ] Name: Random salt with SHA-256 Reference: [ RFC-to-be ] Value: [ TBD-at-registration ] Name: Random salt with SHA-512 Reference: [ RFC-to-be ] Value: [ TBD-at-registration ] Name: UNIX crypt() Reference: [ RFC-to-be ] Value: [ TBD-at-registration ] Name: OpaqueString and a random salt with SHA-1 Reference: [ RFC-to-be ] Value: [ TBD-at-registration ] Name: OpaqueString and a random salt with SHA-256 Reference: [ RFC-to-be ] Value: [ TBD-at-registration ] Name: OpaqueString and a random salt with SHA-512 Reference: [ RFC-to-be ] Value: [ TBD-at-registration ] Name: OpaqueString and a UNIX crypt() Reference: [ RFC-to-be ] As this document requests registrations in an Expert Review or Specification Required (see RFC 5226) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC. IANA understands that this is the only action required to be completed upon approval of this document. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. Thank you, Sabrina Tanamal IANA Specialist ICANN |
2016-09-06
|
06 | Dale Worley | Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Dale Worley. |
2016-09-01
|
06 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Simon Josefsson |
2016-09-01
|
06 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Simon Josefsson |
2016-08-31
|
06 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Mahesh Jethanandani |
2016-08-31
|
06 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Mahesh Jethanandani |
2016-08-25
|
06 | Jean Mahoney | Request for Last Call review by GENART is assigned to Dale Worley |
2016-08-25
|
06 | Jean Mahoney | Request for Last Call review by GENART is assigned to Dale Worley |
2016-08-25
|
06 | Amy Vezza | IANA Review state changed to IANA - Review Needed |
2016-08-25
|
06 | Amy Vezza | The following Last Call announcement was sent out: From: The IESG To: "IETF-Announce" CC: stefan.winter@restena.lu, Kathleen.Moriarty.ietf@gmail.com, draft-harkins-salted-eap-pwd@ietf.org, "Stefan Winter" Reply-To: ietf@ietf.org Sender: … The following Last Call announcement was sent out: From: The IESG To: "IETF-Announce" CC: stefan.winter@restena.lu, Kathleen.Moriarty.ietf@gmail.com, draft-harkins-salted-eap-pwd@ietf.org, "Stefan Winter" Reply-To: ietf@ietf.org Sender: Subject: Last Call: (Adding Support for Salted Password Databases to EAP-pwd) to Informational RFC The IESG has received a request from an individual submitter to consider the following document: - 'Adding Support for Salted Password Databases to EAP-pwd' as Informational RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2016-09-22. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract EAP-pwd is an EAP method that uses a shared password for authentication using a technique that is resistant to dictionary attack. It included support for raw keys and RFC2751-style double hashing of a password but did not include support for salted passwords. There are many existing databases of salted passwords and it is desirable to allow their use with EAP-pwd. The file can be obtained via https://datatracker.ietf.org/doc/draft-harkins-salted-eap-pwd/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-harkins-salted-eap-pwd/ballot/ No IPR declarations have been submitted directly on this I-D. |
2016-08-25
|
06 | Amy Vezza | IESG state changed to In Last Call from Last Call Requested |
2016-08-25
|
06 | Kathleen Moriarty | Last call was requested |
2016-08-25
|
06 | Kathleen Moriarty | Ballot approval text was generated |
2016-08-25
|
06 | Kathleen Moriarty | Ballot writeup was generated |
2016-08-25
|
06 | Kathleen Moriarty | IESG state changed to Last Call Requested from Publication Requested |
2016-08-25
|
06 | Kathleen Moriarty | IESG state changed to Publication Requested from Dead |
2016-08-25
|
06 | Kathleen Moriarty | Last call announcement was generated |
2016-08-25
|
06 | Kathleen Moriarty | Last call announcement was generated |
2016-08-24
|
06 | Stefan Winter | Document Writeup for draft-harkins-salted-eap-pwd-03 ==================================================== (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this … Document Writeup for draft-harkins-salted-eap-pwd-03 ==================================================== (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? The requested track is Informational. The document is an extension to RFC 5931 (EAP Authentication Using Only a Password) which is also informational. It is the right track because it makes sense to choose the same track for the base specification and the update. That said, it looks a bit odd that RFC 5931 itself was only Informational, but that question is out of scope for the draft currently under consideration. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary EAP-pwd is an EAP method that uses a shared password for authentication using a technique that is resistant to dictionary attack. It included support for raw keys and RFC2751-style double hashing of a password but did not include support for salted passwords. There are many existing databases of salted passwords and it is desirable to allow their use with EAP-pwd. Working Group Summary The base specification RFC 5931 was considered by the EMU working group (but eventually published outside the WG). That working group is meanwhile concluded, and the current draft has no obvious "home" in any working group. Document Quality There are implementations of the EAP-pwd base specification for several operating systems (Windows, Linux, Android), originating from one vendor (Aruba Networks / HP Enterprise). The same vendor (and in fact author of the spec) also has running code for this new draft. This code is unpublished due to the lack of code points. When this draft gets published as RFC with the corresponding IANA actions, it can be expected that the implementation will be out soon after. Who is the Document Shepherd? Who is the Responsible Area Director? The Document Shepherd is Stefan Winter . The responsible Area Director is Kathleen Moriarty (kathleen.moriarty.ietf@gmail.com). (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The shepherd has been following this document since a long while, due to its potential usefulness in enterprise Wi-Fi. As such, the document was constantly reviewed. In addition to that, the shepherd has read -03 with particular scrutiny. Subsequently, a number of clarification questions were asked and tackled in subsequent versions. The shepherd now (version -06) believes this document is ready for publication. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? With this being an individual submission, the amount of review is more difficult to gauge than usually. The author presented his draft an several occasions, and got a few comments on it. In particular, it was sent to the emu mailing list which still has many subscribers from the now-concluded emu working group. All in all, there are no concerns; the document has gotten its fair share of scrutiny. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. The protocol exetensions in this draft definitely warrant a review from the security community. The comments the author got indicate that security people did take a look already. IETF last call and in particular the secdir review should provide for a comforting amount of security review. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the interested community has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. The document is needed in order to support more database backends. The fact that it needs to transmit the salt on the wire in the clear is an unfortunate technical necessity; the salt is of not much use without the actual password. Whether or not this represents a problem worth noting in Security Considerations remains questionable. Text about this issue has been added to expose the question during IETF LC. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why. The author has acked that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. (8) Has an IPR disclosure been filed that references this document? If so, summarize any discussion and conclusion regarding the IPR disclosures. There is no IPR disclosure on this document. (9) How solid is the consensus of the interested community behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the interested community as a whole understand and agree with it? The community of people dealing with new EAP types is comparatively small. There is a significant amount of silence around this document; but this should in the shepherd's opinion not be considered as dissent; it's much rather that the existing EAP types cover a large amount of authentication needs "good enough" and that the new features of EAP-pwd are not urgent enough to get interest from a bigger set of people. All existing password-based EAP methods either require a PKIX-style server certificate (which the EAP-pwd base specification already fixes) and/or require storage of the user's password in either clear-text or NTHash formats (which the current draft fixes by adding numerous salted storage variants to the mix). Only this new draft in combination with the base spec allows for user-friendly (no cert messing, no MITM password disclosure risks) and admin-friendly (storage of passwords in a non-weak format) EAP authentication. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No such threat is known. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. The version -06 has a minor style deviation as noted by idnits: == The 'Updates: ' line in the draft header should list only the _numbers_ of the RFCs which will be updated by this document (if approved); it should not include the word 'RFC' in the list. This minor issue can sure be fixed later in the publication process. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. No such formal review is required. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? All IETF references are issued RFCs. The remaining are a published NIST document (stable) and a Unix man page of a very old part of Unix (crypt() ). All of these references can be considered stable. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. No downward references. (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the interested community considers it unnecessary. This document updates RFC 5931, but does not change its status. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). The document adds new entries to an existing registry. The IANA Considerations section is consistent with the document's main body. The registry in question is "Specification Required", which this draft satisfies. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. None. (19) Describe reviews and automated checks performed by to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. No such checks are necessary. |
2016-08-24
|
06 | Dan Harkins | New version available: draft-harkins-salted-eap-pwd-06.txt |
2016-08-19
|
05 | Dan Harkins | New version available: draft-harkins-salted-eap-pwd-05.txt |
2016-08-05
|
04 | Dan Harkins | New version available: draft-harkins-salted-eap-pwd-04.txt |
2016-06-17
|
03 | Kathleen Moriarty | Notification list changed to "Stefan Winter" <stefan.winter@restena.lu> |
2016-06-17
|
03 | Kathleen Moriarty | Document shepherd changed to Stefan Winter |
2016-02-19
|
03 | Dan Harkins | New version available: draft-harkins-salted-eap-pwd-03.txt |
2016-02-14
|
02 | (System) | Document has expired |
2016-02-14
|
02 | (System) | IESG state changed to Dead from AD is watching |
2015-11-19
|
02 | Kathleen Moriarty | IESG process started in state AD is watching |
2015-11-19
|
02 | Kathleen Moriarty | Intended Status changed to Informational from None |
2015-11-19
|
02 | Kathleen Moriarty | Stream changed to IETF from None |
2015-11-19
|
02 | Kathleen Moriarty | Shepherding AD changed to Kathleen Moriarty |
2015-08-13
|
02 | Dan Harkins | New version available: draft-harkins-salted-eap-pwd-02.txt |
2015-01-08
|
01 | Dan Harkins | New version available: draft-harkins-salted-eap-pwd-01.txt |
2014-09-30
|
00 | Dan Harkins | New version available: draft-harkins-salted-eap-pwd-00.txt |