Re: [Standards] XEP-0388: SASL2 enhancements

2022-10-22 Thread Thilo Molitor 
Hi all,

the SASL2  update consists of various parts.
Mixing them doesn't help our discussion and I guess most people will loose 
track sooner or later.
I will therefore start a new thread for every part, to discuss them 
separately.

I also want to stress what MattJ already said:
> New Bind 2 (and SASL2) is already implemented by at least Prosody, 
> Conversations and Monal. We learnt a lot from our collaboration
> and testing, and have tweaked and improved various things along
> the way as we discovered what did and didn't work well during 
> implementation. Overall, I'm pretty happy with what we have working.

-tmolitor


Am Donnerstag, 20. Oktober 2022, 13:49:50 CEST schrieb Marvin W:
> Hi Thilo,
> 
> On Wed, 2022-10-19 at 21:41 +0200, Thilo Molitor wrote:
> > I want us to move away from that "PLAIN is sometimes needed, let's
> > support
> > it in all relevant clients without further interaction by the user
> > and ignore
> > any security implications this might have" stance that seems be
> > common, to
> > something like "only support PLAIN in clients after configured to do
> > so, to not
> > allow for trivial MITM attacks".
> > That's essentially a "default secure" rather a "default insecure"
> > approach.
> 
> You make it sound as if PLAIN over TLS was anywhere near insecure. It's
> not. It's what is protecting your emails, your online banking, your tax
> declaration, ... (at least on first connection, some of these can store
> a token for further use instead of the plain password).
> 
> The main advantage of SCRAM is that clients don't need to store the
> plain password, but can store the SaltedPassword instead. This is still
> a valid credential, but it is restricted to the server (as each server
> would have it's own salt), so if users reuse passwords (which they
> shouldn't, but do anyways), it's not as much of an issue, if the XMPP
> client is attacked, as only the XMPP account would be affected.
> 
> Under certain extreme conditions it might be sensible to put some kind
> of additional security to TLS, for example Signal is known to use
> certificate pinning with their own CA. And for these special cases it's
> worth having something like SCRAM with channel binding specified (and
> both defaulting to it and pinning to it is somewhat sensible).
> 
> But that doesn't mean we should frame PLAIN over TLS as insecure. It's
> not. It also doesn't allow for trivial MITM attacks: If a public CA was
> to issue certificates it shouldn't issue, it will get banned
> immediately (and thanks to certificate transparency we will learn about
> this close to immediately). And if a private CA was installed onto a
> system, the attacker could have installed malware at the same time,
> that would be able to fish the user's password and thereby break
> SCRAM's channel binding.
> 
> Given that there are always usecases where SCRAM cannot be used (RFC
> already mentioned PAM and LDAP, but there are even further, basically
> everything where credentials are not handled by the XMPP server itself)
> 
> > I've split out the SCRAM upgrade task definition into a new ProtoXEP:
> > https://
> > github.com/tmolitor-stud-tu/xeps/tree/scram-upgrades
> > Rendered version:
> > https://dyn.eightysoft.de/final/xep-scram-upgrade.html
> 
> Just wanted to mention that this specification isn't really a "SCRAM
> upgrade", but rather a "change salted password" specification (which
> might be an interesting idea to have, but that's another story),
> because the server has no way to verify that the salted password is the
> same as the previous one when upgrading from SCRAM-SHA-1 to SCRAM-SHA-
> 256.
> 
> I also question the proposed upgrade mechanism in general. The server
> can only suggest mechanisms independent of the user's account name. If
> the server previously only stored SCRAM-SHA-1 secrets and some users
> upgraded but others didn't, the list can't be used meaningfully. What
> we'd need here is a new error code for the server to tell the client
> after the  message that the user can't use SCRAM-SHA-256
> yet, but will be able to do so after some upgrade operation being
> performed (which probably entails sending the password in plain).
> A client that is trying to do SCRAM-SHA-256 when the server doesn't
> have matching credentials yet must have the plain password at hand
> already (as it can't have the SaltedPassword yet due to lack of salt),
> so it is already prepared to provide it. If channel binding is desired
> for security reasons, one could also do a SCRAM-SHA-1-PLUS before
> sending the password to the server in plain.
> 
> Marvin
> ___
> Standards mailing list
> Info: https://mail.jabber.org/mailman/listinfo/standards
> Unsubscribe: standards-unsubscr...@xmpp.org
> ___


___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe:

Re: [Standards] XEP-0388: SASL2 enhancements

2022-10-22 Thread Thilo Molitor 
Hi Marvin,

> > I've split out the SCRAM upgrade task definition into a new ProtoXEP:
> > https://
> > github.com/tmolitor-stud-tu/xeps/tree/scram-upgrades
> > Rendered version:
> > https://dyn.eightysoft.de/final/xep-scram-upgrade.html
> 
> Just wanted to mention that this specification isn't really a "SCRAM
> upgrade", but rather a "change salted password" specification (which
> might be an interesting idea to have, but that's another story),
> because the server has no way to verify that the salted password is the
> same as the previous one when upgrading from SCRAM-SHA-1 to SCRAM-SHA-
> 256.
Well, if a client used different passwords to generate she SCRAM-SHA-256 hash
than was used for the SCRAM-SHA-1, mere chaos would evolve.
But you are right: we should add wording to XEP-0388 that the password used 
for the new hash MUST be the same as used to log in the client in the first 
place.

> I also question the proposed upgrade mechanism in general. The server
> can only suggest mechanisms independent of the user's account name. If
> the server previously only stored SCRAM-SHA-1 secrets and some users
> upgraded but others didn't, the list can't be used meaningfully. What
> we'd need here is a new error code for the server to tell the client
> after the  message that the user can't use SCRAM-SHA-256
> yet, but will be able to do so after some upgrade operation being
> performed (which probably entails sending the password in plain).
> A client that is trying to do SCRAM-SHA-256 when the server doesn't
> have matching credentials yet must have the plain password at hand
> already (as it can't have the SaltedPassword yet due to lack of salt),
> so it is already prepared to provide it. If channel binding is desired
> for security reasons, one could also do a SCRAM-SHA-1-PLUS before
> sending the password to the server in plain.
You misunderstood the upgrade tasks: the server knows perfectly well which 
SASL mechanisms a specific account can be upgraded to and which mechanisms can 
already be used right away (the "from"-attribute of the stream header tells it 
which account the client wants to upgrade).
Of course the server has to store all hashes independently (e.g. two database 
fields, one for SCRAM-SHA-1 and one for SCRAM-SHA-256). This wasn't outlined in 
the XEP because I figured details on the storage implementations of servers 
were out of scope for this XEP. But I could well add some wording that all 
hashes should be stored on the server, not only one of them.

-tmolitor



___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___

Re: [Standards] XEP-0388: SASL2 enhancements

2022-10-20 Thread Marvin W 
Hi Thilo,

On Wed, 2022-10-19 at 21:41 +0200, Thilo Molitor wrote:
> I want us to move away from that "PLAIN is sometimes needed, let's
> support 
> it in all relevant clients without further interaction by the user
> and ignore 
> any security implications this might have" stance that seems be
> common, to 
> something like "only support PLAIN in clients after configured to do
> so, to not 
> allow for trivial MITM attacks".
> That's essentially a "default secure" rather a "default insecure"
> approach.

You make it sound as if PLAIN over TLS was anywhere near insecure. It's
not. It's what is protecting your emails, your online banking, your tax
declaration, ... (at least on first connection, some of these can store
a token for further use instead of the plain password).

The main advantage of SCRAM is that clients don't need to store the
plain password, but can store the SaltedPassword instead. This is still
a valid credential, but it is restricted to the server (as each server
would have it's own salt), so if users reuse passwords (which they
shouldn't, but do anyways), it's not as much of an issue, if the XMPP
client is attacked, as only the XMPP account would be affected.

Under certain extreme conditions it might be sensible to put some kind
of additional security to TLS, for example Signal is known to use
certificate pinning with their own CA. And for these special cases it's
worth having something like SCRAM with channel binding specified (and
both defaulting to it and pinning to it is somewhat sensible).

But that doesn't mean we should frame PLAIN over TLS as insecure. It's
not. It also doesn't allow for trivial MITM attacks: If a public CA was
to issue certificates it shouldn't issue, it will get banned
immediately (and thanks to certificate transparency we will learn about
this close to immediately). And if a private CA was installed onto a
system, the attacker could have installed malware at the same time,
that would be able to fish the user's password and thereby break
SCRAM's channel binding.

Given that there are always usecases where SCRAM cannot be used (RFC
already mentioned PAM and LDAP, but there are even further, basically
everything where credentials are not handled by the XMPP server itself)


> I've split out the SCRAM upgrade task definition into a new ProtoXEP:
> https://
> github.com/tmolitor-stud-tu/xeps/tree/scram-upgrades
> Rendered version:
> https://dyn.eightysoft.de/final/xep-scram-upgrade.html

Just wanted to mention that this specification isn't really a "SCRAM
upgrade", but rather a "change salted password" specification (which
might be an interesting idea to have, but that's another story),
because the server has no way to verify that the salted password is the
same as the previous one when upgrading from SCRAM-SHA-1 to SCRAM-SHA-
256.

I also question the proposed upgrade mechanism in general. The server
can only suggest mechanisms independent of the user's account name. If
the server previously only stored SCRAM-SHA-1 secrets and some users
upgraded but others didn't, the list can't be used meaningfully. What
we'd need here is a new error code for the server to tell the client
after the  message that the user can't use SCRAM-SHA-256
yet, but will be able to do so after some upgrade operation being
performed (which probably entails sending the password in plain).
A client that is trying to do SCRAM-SHA-256 when the server doesn't
have matching credentials yet must have the plain password at hand
already (as it can't have the SaltedPassword yet due to lack of salt),
so it is already prepared to provide it. If channel binding is desired
for security reasons, one could also do a SCRAM-SHA-1-PLUS before
sending the password to the server in plain.

Marvin
___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___

Re: [Standards] XEP-0388: SASL2 enhancements

2022-10-19 Thread Thilo Molitor 
Hi Matthew,

> There are deployments that require PLAIN. That is unlikely to change
> (ever). However this doesn't stop clients from being smart, e.g. by
> pinning support for SCRAM and refusing to downgrade. I don't know if
> any clients actually do this.
Yes, those deployments do exist.
But I want us to move away from that "PLAIN is sometimes needed, let's support 
it in all relevant clients without further interaction by the user and ignore 
any security implications this might have" stance that seems be common, to 
something like "only support PLAIN in clients after configured to do so, to not 
allow for trivial MITM attacks".
That's essentially a "default secure" rather a "default insecure" approach.

While pinning is a valid approach it has some downsides, too.
It does not cover the first connection and depends on ordering of mechanisms.
If you upgrade the pinning to stronger mechanisms as soon as the server 
advertises them, you'll break authentication for your client if the server 
operator just briefly activated these stronger mechanisms and deactivates them 
again.
If you don't upgrade your pinning, your client will remain on a sort of 
security baseline that eventually will be outdated over the years and 
virtually be as good as no pinning at all.

Because all of these I consider pinning to be some solution of last resort if 
you can't come up with something better rather than a go-to solution one 
should always use.

> There is a separate issue which was brought up by Dave in his review,
> which is the inclusion of the upgrade tasks in this XEP. As far as I
> am aware, nobody is opposing the upgrade tasks themselves (I certainly
> think they are desperately needed). The problem is that they are not
> part of the SASL2 framework itself. Just like we don't plan to define
> every possible post-authentication task in this XEP, these tasks are
> mechanism-specific and they don't need to be in XEP-0388. Copy/paste
> them into a new document, and I think everyone will be happy.
I've split out the SCRAM upgrade task definition into a new ProtoXEP: https://
github.com/tmolitor-stud-tu/xeps/tree/scram-upgrades
Rendered version: https://dyn.eightysoft.de/final/xep-scram-upgrade.html

-tmolitor



___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___

Re: [Standards] XEP-0388: SASL2 enhancements

2022-10-19 Thread Matthew Wild 
On Wed, 19 Oct 2022 at 14:23, Thilo Molitor  wrote:
>
> Hi Daniel,
>
> Daniel Gultsch wrote:
> > Inline + User-Agent good. Very skeptical on forbidding PLAIN and the
> dependency on channel binding.
> It's not forbidding PLAIN, but highlights what is already described in RFC
> 6120 section 13.8.3, but seems to have been forgotten: PLAIN should not be
> used if it's not absolutely needed.
> Why is that so? Because any channel-binding falls apart if the client supports
> PLAIN. Thus it's always possible to downgrade the client to use PLAIN.

> Today almost every client still supports PLAIN and will happily negotiate it
> without any warning to the user and without being hidden behind a "Activate
> legacy authentication" knob that has to be enabled by the user first.

There are deployments that require PLAIN. That is unlikely to change
(ever). However this doesn't stop clients from being smart, e.g. by
pinning support for SCRAM and refusing to downgrade. I don't know if
any clients actually do this.

> > I don’t yet have on opinion on the tasks issue.
> Well, if we don't have a way to upgrade the SCRAM hashes stored on the server,
> we won't be able to gradually phase out SCRAM-SHA-1 to use the more secure
> SCRAM-SHA-256.

I think there are two "tasks issue"s being confused here.

The "tasks issue" that I was referring to (and I assume Daniel too)
was specifically about the task syntax (base64 vs arbitrary XML
payloads). I don't have a strong opinion on this right now, mainly
because I haven't properly tried to use either format yet. While
working on rough draft flows for MFA, I did find base64 and the
next/continue framework very limiting, but I understand why the spec
was written as it is, so I think any changes do deserve attention.

There is a separate issue which was brought up by Dave in his review,
which is the inclusion of the upgrade tasks in this XEP. As far as I
am aware, nobody is opposing the upgrade tasks themselves (I certainly
think they are desperately needed). The problem is that they are not
part of the SASL2 framework itself. Just like we don't plan to define
every possible post-authentication task in this XEP, these tasks are
mechanism-specific and they don't need to be in XEP-0388. Copy/paste
them into a new document, and I think everyone will be happy.

Regards,
Matthew
___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___

Re: [Standards] XEP-0388: SASL2 enhancements

2022-10-19 Thread Thilo Molitor 
I've pushed a new commit partly addressing some of Dave's concerns: https://
github.com/xsf/xeps/pull/1214/commits/2a0a894f8ea606d9bbf894f85c3c306c8166cb54

Up to date rendering: https://dyn.eightysoft.de/final/xep-0388.html
Up to date diff: https://dyn.eightysoft.de/final/xep-0388-diff.html

-tmolitor



___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___

Re: [Standards] XEP-0388: SASL2 enhancements

2022-10-19 Thread Thilo Molitor 
Hi Daniel,

Daniel Gultsch wrote:
> Inline + User-Agent good. Very skeptical on forbidding PLAIN and the 
dependency on channel binding.
It's not forbidding PLAIN, but highlights what is already described in RFC 
6120 section 13.8.3, but seems to have been forgotten: PLAIN should not be 
used if it's not absolutely needed.
Why is that so? Because any channel-binding falls apart if the client supports 
PLAIN. Thus it's always possible to downgrade the client to use PLAIN.

A client supporting PLAIN will never have to implement SCRAM nor channel-
binding. Implementing these just does not make any sense if an attacker able 
to break into the TLS layer can always downgrade authentication to use PLAIN, 
circumventing any SCRAM or channel-binding.
If, on the other hand, we assume TLS to always be secure, than we won't have 
to implement SCRAM and channel-binding either.
There is no need in implementing SCRAM or channel-binding to secure something 
we deem to be always secure by definition.

Today almost every client still supports PLAIN and will happily negotiate it 
without any warning to the user and without being hidden behind a "Activate 
legacy authentication" knob that has to be enabled by the user first.


Now to the dependency on channel-binding: that was not meant to be a hard 
dependency, but if a client or server supports channel-binding it MUST use 
XEP-0440 to negotiate which binding to use. And it SHOULD only use upgrade 
tasks if channel-binding is in use to make sure an attacker won't be able to 
intercept the SCRAM hash (or any other authentication data) that could later 
be used to impersonate the client/user.

If I accidentally made the channel-binding a hard dependency, I'm happy to fix 
that. Just point me to the part of the XEP I should change.

> I don’t yet have on opinion on the tasks issue.
Well, if we don't have a way to upgrade the SCRAM hashes stored on the server, 
we won't be able to gradually phase out SCRAM-SHA-1 to use the more secure 
SCRAM-SHA-256.
You'll either have to store the password on the server in plaintext or only 
offer SCRAM-SHA-1. There are good reasons to not store passwords in plaintext 
on the server, but use salted hashes: https://prosody.im/doc/plain_or_hashed
Prosody even defaults to hashed now.
That means you won't be able to upgrade to SCRAM-SHA-256 if these upgrade 
tasks weren't included in SASL2. (You could of course force the complete 
userbase of a server into resetting their passwords to switch from SHA-1 to 
SHA-256, but that's obviously very bad UX.)
This upgrade problem has been mentioned in 2019 here on list already: https://
mail.jabber.org/pipermail/standards/2019-January/035720.html


I've written a blog post that more or less describes all of the rationale 
behind my changes to this XEP over here: https://monal-im.org/post/4-sasl/

-tmolitor



___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___

Re: [Standards] XEP-0388: SASL2 enhancements

2022-10-19 Thread Daniel Gultsch 
On Tue, Oct 18, 2022 at 10:11 PM Matthew Wild  wrote:

> > …do we really need ?

Yes. The ability to announce that a certain feature a) exists b)
supports SASL2 inline must be announced.
For example regular SM might not even be announced prior to authentication.

The only question is if we create a new top level stream feature
called  (we briefly had that in one of our drafts IIRC) or
if we bunch up all line features in a wrapper element called 

If we ever do a SM2 your just include everything opportunistically
approach falls apart.

I mean feature announcements are an integral part to XMPP. I'm not
sure why SASL2 inlining would be the place to get rid of it.


> New Bind 2 is already implemented by at least Prosody, Conversations
> and Monal. We learnt a lot from our collaboration and testing, and
> have tweaked and improved various things along the way as we
> discovered what did and didn't work well during implementation.
> Overall, I'm pretty happy with what we have working.

I agree. SASL2 + Bind 2 + inline SM + token auth is a great combination.

cheers
Daniel
___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___

Re: [Standards] XEP-0388: SASL2 enhancements

2022-10-19 Thread Daniel Gultsch 
Hi,

without trying to rehash what Matthew said I just wanted to give my +1
to everything he said.

Inline + User-Agent good. Very skeptical on forbidding PLAIN and the
dependency on channel binding.

I don’t yet have on opinion on the tasks issue.

cheers
Daniel

On Tue, Oct 18, 2022 at 4:02 PM Matthew Wild  wrote:
>
> Hi folks,
>
> For context, there is an update to XEP-0388 (SASL2) pending:
>
>   PR: https://github.com/xsf/xeps/pull/1214
>   HTML: https://dyn.eightysoft.de/final/xep-0388.html
>   HTML (diff): https://matthewwild.co.uk/uploads/xep-0388-diff.html
>
> As per policy, we're bringing any substantial discussion to the
> mailing list. Nevertheless, you'll find an initial review by Dave
> (original author of the XEP) at the above link.
>
> We have quite a few prototype implementations of (many of) the new
> changes already in Prosody, Conversations, Monal, Gajim and Siskin.
>
> The main changes that I'm interested in are the following:
>
> 1) Advertisement of supported "inline" features
>
> One of the initial premises of SASL2 was that you would be able to
> negotiate various other things at the same time as authenticating. For
> example, this quote from the original XEP:
>
> "In order to provide support for other desired stream states beyond
> authentication, additional child elements are used. For example, a
> hypothetical XEP-0198 session resumption element might be included,
> and/or Resource Binding requests."
>
> To make it easier to talk about, I generally refer to this feature as
> "inlining" (which is different to pipelining, another similar method
> to reduce round-trips).
>
> While implementing, I quickly realised that the server supporting
> SASL2 and also supporting XEP-0198 is not enough information to
> determine that the server supports negotiating XEP-0198 inline within
> SASL2. For this reason we added the  element within the SASL2
> stream feature element. This  lists the features that are
> supported for SASL2 inlining. An example of this can be found here:
> https://dyn.eightysoft.de/final/xep-0388.html#example-2
>
> It's important to stress that, despite calling out XEP-0198 and Bind 2
> in the changelog and text, this is intended for example purposes only.
> There is no intention to increase the scope of XEP-0388 to cover which
> specific protocols can be negotiated (in fact this is the whole reason
> for introducing  as an extension point).
>
> Therefore, the exact rules for handling inlining of features are to be
> specified elsewhere. For example, there is a proposed update to
> XEP-0198 for exactly this: https://github.com/xsf/xeps/pull/1215
>
> I have also submitted an update proposal for XEP-0386 Bind 2, which
> uses  to advertise support (it will need to be revised if
>  is not accepted).
>
> 2) 
>
> One thing that has always frustrated me with our current
> authentication flow is that things like per-device credentials were
> impossible to do (securely). It's possible for e.g. PLAIN that a
> server could iterate through a list of acceptable passwords. But this
> doesn't work for more advanced mechanisms such as SCRAM. The same
> issue applies to token authentication, if we want to support fancier
> mechanisms such as Florian's HT-* proposal.
>
> We solved this by adding a stable client identifier. Its value and
> lifetime are client-chosen, but it allows the server to scope
> credentials to a specific client. This allows per-device credentials,
> more advanced authentication flows, and finally opens up the door to
> being able to view and manage what clients currently have access to
> your account (something that is invisible when all you have is a
> single password shared across all your clients).
>
> It also provides a foundation for many other advanced features, such
> as the server being able to associate things like push registrations
> to specific clients, and therefore stop pushing data to client
> developer push services if you no longer use their client (although we
> already attempt such cleanup, it's pretty hacky and unreliable right
> now).
>
> As well as the client identifier, the element optionally allows the
> client to include software and platform name. This can be used for
> diagnostic purposes ("what is this client that always fails to
> connect?") as well as allowing the server to provide more information
> to users about what is accessing their account.
>
> Now, there are some other changes in this update. My reading of Dave's
> review is that features related to specific mechanisms (such as the
> SCRAM upgrade) are out of scope for this document. I think I agree
> with that assessment. Likewise, channel binding is already covered by
> XEP-0440 and individual mechanisms. It would be good to keep this XEP
> as a mechanism-agnostic framework.
>
> Finally, I'm on the fence about one thing: switching the task syntax
> from base64 data to XML (and separately, dropping the
> / framework). I'll start a separate thread about this,
> as it probably

Re: [Standards] XEP-0388: SASL2 enhancements

2022-10-18 Thread Matthew Wild 
Hi Florian,

On Tue, 18 Oct 2022 at 18:55, Florian Schmaus  wrote:
> On 18/10/2022 16.01, Matthew Wild wrote:
> > 1) Advertisement of supported "inline" features
> > […]
> > While implementing, I quickly realised that the server supporting
> > SASL2 and also supporting XEP-0198 is not enough information to
> > determine that the server supports negotiating XEP-0198 inline within
> > SASL2. For this reason we added the  element within the SASL2
> > stream feature element. This  lists the features that are
> > supported for SASL2 inlining. An example of this can be found here:
> > https://dyn.eightysoft.de/final/xep-0388.html#example-2
>
> …do we really need ?
>
> Couldn't clients create a sasl2  nonza, opportunistically
> adding all extensions the client suspects, derived from the stream
> features, that server supports via bind2? Then we only need to require
> that the server (briefly) acknowledges each supported feature in the
> response, which is potentially already the case for the majority of
> features.

I don't immediately see a reason why this really couldn't work, but it
seems a bit awkward to me. Firstly, some extensions (such as bind2)
can get a bit verbose, and I guess it's potentially a bunch of
duplicated traffic on every connection. Also, it assumes that
everything has a response from the server. New Bind 2 has a similar
model, and there CSI does not have a response (just like when it's not
inlined).

> Features that the server does not support via sasl2, and hence where not
> acknowledged, could be enabled "traditionally" by the client. This is
> something clients may want to support anyway, in case the server does
> not announce the feature , but otherwise supports it. Or am I
> mistaken here?

I don't see why a server would support inlining a feature but not
announce it correctly.

> In any case, I feel that , and related mechanisms, is more
> bind2 territory than sasl2. If  stays in sasl2, then wouldn't
> we potentially end-up with  in bind2 too?

New Bind 2 does indeed have its own  too :)

The split is between things that are enabled before resource binding,
and those that are enabled after resource binding. You can see an
example here: https://matthewwild.co.uk/uploads/xeps-tmp/xep-0386.html#example-1

> Luckily we appear to have already some implementations of the proposed
> protocol (changes). Could the maintainers of such implementations maybe
> provide some real world exchanges of the (currently) most sophisticated
> sasl2 XMPP-session establishments currently being performed. I am
> thinking of MAM, carbons, SM resumption, and more. I would like to get a
> better understanding how sasl2 can be used with existing widely-deployed
> protocols and with bind2. Or is bind2 outside the scope (for now?)?

New Bind 2 is already implemented by at least Prosody, Conversations
and Monal. We learnt a lot from our collaboration and testing, and
have tweaked and improved various things along the way as we
discovered what did and didn't work well during implementation.
Overall, I'm pretty happy with what we have working.

I think we have the opportunity right now to determine a new login
flow that will see us through the next 20 years of XMPP. Over the past
couple of decades we've bolted various things on (XEP-0198, carbons,
etc.) that are almost universally implemented. This has led to the
stream setup process getting quite difficult to explain to newcomers,
increased complexity in clients and gradually worse performance on
poor networks due to the required round-trips.

We all knew about the problem - SASL2 and Bind 2 have been waiting in
the wings for a while now, and combined together they allow the client
to describe its desired stream state to the server, and the server to
respond with the final state. Ideally these updates provide the XEPs
with enough polish to make implementations practical and useful.

Once SASL2/Bind2/XEP-0198 updates have settled, I plan to write up an
informational XEP, mostly of examples, demonstrating possible
connection flows.

Meanwhile, as requested, here is an example flow from a real client
(with some replacement of identifiers, etc.):
https://matthewwild.co.uk/uploads/sasl2-example.xml

In this flow, the client is using token auth, but SCRAM would be
pretty much the same with the addition of a  and 
in the middle. As well as resource binding, it also shows the client
requesting to resume a XEP-0198 session, but the server responds that
the session has expired. Because of this, the server proceeds to
process the resource bind request, which includes a request to enable
XEP-0198, and a new session is successfully established.

Hopefully this helps put some of this stuff into context.

Regards,
Matthew
___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___

Re: [Standards] XEP-0388: SASL2 enhancements

2022-10-18 Thread Florian Schmaus 

Thanks Matt (and others) for pursuing this, IMHO very worthwhile goal.

I think I like what I've seen so far, but…

On 18/10/2022 16.01, Matthew Wild wrote:

1) Advertisement of supported "inline" features
[…]
While implementing, I quickly realised that the server supporting
SASL2 and also supporting XEP-0198 is not enough information to
determine that the server supports negotiating XEP-0198 inline within
SASL2. For this reason we added the  element within the SASL2
stream feature element. This  lists the features that are
supported for SASL2 inlining. An example of this can be found here:
https://dyn.eightysoft.de/final/xep-0388.html#example-2


…do we really need ?

Couldn't clients create a sasl2  nonza, opportunistically 
adding all extensions the client suspects, derived from the stream 
features, that server supports via bind2? Then we only need to require 
that the server (briefly) acknowledges each supported feature in the 
response, which is potentially already the case for the majority of 
features.


Features that the server does not support via sasl2, and hence where not 
acknowledged, could be enabled "traditionally" by the client. This is 
something clients may want to support anyway, in case the server does 
not announce the feature , but otherwise supports it. Or am I 
mistaken here?



In any case, I feel that , and related mechanisms, is more 
bind2 territory than sasl2. If  stays in sasl2, then wouldn't 
we potentially end-up with  in bind2 too?


Luckily we appear to have already some implementations of the proposed 
protocol (changes). Could the maintainers of such implementations maybe 
provide some real world exchanges of the (currently) most sophisticated 
sasl2 XMPP-session establishments currently being performed. I am 
thinking of MAM, carbons, SM resumption, and more. I would like to get a 
better understanding how sasl2 can be used with existing widely-deployed 
protocols and with bind2. Or is bind2 outside the scope (for now?)?


- Flow


OpenPGP_signature
Description: OpenPGP digital signature
___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___

[Standards] XEP-0388: SASL2 enhancements

2022-10-18 Thread Matthew Wild 
Hi folks,

For context, there is an update to XEP-0388 (SASL2) pending:

  PR: https://github.com/xsf/xeps/pull/1214
  HTML: https://dyn.eightysoft.de/final/xep-0388.html
  HTML (diff): https://matthewwild.co.uk/uploads/xep-0388-diff.html

As per policy, we're bringing any substantial discussion to the
mailing list. Nevertheless, you'll find an initial review by Dave
(original author of the XEP) at the above link.

We have quite a few prototype implementations of (many of) the new
changes already in Prosody, Conversations, Monal, Gajim and Siskin.

The main changes that I'm interested in are the following:

1) Advertisement of supported "inline" features

One of the initial premises of SASL2 was that you would be able to
negotiate various other things at the same time as authenticating. For
example, this quote from the original XEP:

"In order to provide support for other desired stream states beyond
authentication, additional child elements are used. For example, a
hypothetical XEP-0198 session resumption element might be included,
and/or Resource Binding requests."

To make it easier to talk about, I generally refer to this feature as
"inlining" (which is different to pipelining, another similar method
to reduce round-trips).

While implementing, I quickly realised that the server supporting
SASL2 and also supporting XEP-0198 is not enough information to
determine that the server supports negotiating XEP-0198 inline within
SASL2. For this reason we added the  element within the SASL2
stream feature element. This  lists the features that are
supported for SASL2 inlining. An example of this can be found here:
https://dyn.eightysoft.de/final/xep-0388.html#example-2

It's important to stress that, despite calling out XEP-0198 and Bind 2
in the changelog and text, this is intended for example purposes only.
There is no intention to increase the scope of XEP-0388 to cover which
specific protocols can be negotiated (in fact this is the whole reason
for introducing  as an extension point).

Therefore, the exact rules for handling inlining of features are to be
specified elsewhere. For example, there is a proposed update to
XEP-0198 for exactly this: https://github.com/xsf/xeps/pull/1215

I have also submitted an update proposal for XEP-0386 Bind 2, which
uses  to advertise support (it will need to be revised if
 is not accepted).

2) 

One thing that has always frustrated me with our current
authentication flow is that things like per-device credentials were
impossible to do (securely). It's possible for e.g. PLAIN that a
server could iterate through a list of acceptable passwords. But this
doesn't work for more advanced mechanisms such as SCRAM. The same
issue applies to token authentication, if we want to support fancier
mechanisms such as Florian's HT-* proposal.

We solved this by adding a stable client identifier. Its value and
lifetime are client-chosen, but it allows the server to scope
credentials to a specific client. This allows per-device credentials,
more advanced authentication flows, and finally opens up the door to
being able to view and manage what clients currently have access to
your account (something that is invisible when all you have is a
single password shared across all your clients).

It also provides a foundation for many other advanced features, such
as the server being able to associate things like push registrations
to specific clients, and therefore stop pushing data to client
developer push services if you no longer use their client (although we
already attempt such cleanup, it's pretty hacky and unreliable right
now).

As well as the client identifier, the element optionally allows the
client to include software and platform name. This can be used for
diagnostic purposes ("what is this client that always fails to
connect?") as well as allowing the server to provide more information
to users about what is accessing their account.

Now, there are some other changes in this update. My reading of Dave's
review is that features related to specific mechanisms (such as the
SCRAM upgrade) are out of scope for this document. I think I agree
with that assessment. Likewise, channel binding is already covered by
XEP-0440 and individual mechanisms. It would be good to keep this XEP
as a mechanism-agnostic framework.

Finally, I'm on the fence about one thing: switching the task syntax
from base64 data to XML (and separately, dropping the
/ framework). I'll start a separate thread about this,
as it probably needs more discussion and this email is long enough
already.

Regards,
Matthew
___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___