draft-ietf-kitten-password-storage-05.txt   draft-ietf-kitten-password-storage-06.txt 
Common Authentication Technology Next Generation S. Whited Common Authentication Technology Next Generation S. Whited
Internet-Draft 1 April 2021 Internet-Draft 6 April 2021
Intended status: Best Current Practice Intended status: Best Current Practice
Expires: 3 October 2021 Expires: 8 October 2021
Best practices for password hashing and storage Best practices for password hashing and storage
draft-ietf-kitten-password-storage-05 draft-ietf-kitten-password-storage-06
Abstract Abstract
This document outlines best practices for handling user passwords and This document outlines best practices for handling user passwords and
other authenticator secrets in client-server systems making use of other authenticator secrets in client-server systems making use of
SASL. SASL.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 3 October 2021. This Internet-Draft will expire on 8 October 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 35 skipping to change at page 3, line 35
For clients and servers that support password based authentication For clients and servers that support password based authentication
using SASL [RFC4422] it is RECOMMENDED that the following mechanisms using SASL [RFC4422] it is RECOMMENDED that the following mechanisms
be implemented: be implemented:
* SCRAM-SHA-256 [RFC7677] * SCRAM-SHA-256 [RFC7677]
* SCRAM-SHA-256-PLUS [RFC7677] * SCRAM-SHA-256-PLUS [RFC7677]
System entities SHOULD NOT invent their own mechanisms that have not System entities SHOULD NOT invent their own mechanisms that have not
been standardized by the IETF or another reputable standards body. been standardized by the IETF or another reputable standards body.
Similarly, entities SHOULD NOT implement any mechanism with a usage Similarly, entities MUST NOT implement any mechanism with a usage
status of "OBSOLETE", or "LIMITED" in the IANA SASL Mechanisms status of "OBSOLETE", or "LIMITED", or "MUST NOT be used" in the IANA
Registry [IANA.sasl.mechanisms] and MUST NOT implement any mechanisms SASL Mechanisms Registry [IANA.sasl.mechanisms]. For example,
with a status of "MUST NOT be used". For example, entities SHOULD entities MUST NOT implement DIGEST-MD5 (deprecated in [RFC6331]).
NOT implement DIGEST-MD5 (deprecated in [RFC6331]).
The SASL mechanisms discussed in this document do not negotiate a The SASL mechanisms discussed in this document do not negotiate a
security layer. Because of this a strong security layer such as TLS security layer. Because of this a strong security layer such as TLS
[RFC8446] MUST be negotiated before SASL mechanisms can be advertised [RFC8446] MUST be negotiated before SASL mechanisms can be advertised
or negotiated. or negotiated.
3. Client Best Practices 3. Client Best Practices
3.1. Mechanism Pinning 3.1. Mechanism Pinning
Clients often maintain a list of preferred SASL mechanisms, generally Clients often maintain a list of preferred SASL mechanisms, generally
skipping to change at page 13, line 41 skipping to change at page 13, line 41
[UAX29] Davis, M. and C. Chapman, "Unicode Text Segmentation", [UAX29] Davis, M. and C. Chapman, "Unicode Text Segmentation",
February 2020, <https://www.unicode.org/reports/tr29/>. February 2020, <https://www.unicode.org/reports/tr29/>.
Appendix A. Acknowledgments Appendix A. Acknowledgments
The author would like to thank the civil servants at the National The author would like to thank the civil servants at the National
Institute of Standards and Technology for their work on the Special Institute of Standards and Technology for their work on the Special
Publications series. U.S. executive agencies are an undervalued Publications series. U.S. executive agencies are an undervalued
national treasure, and they deserve our thanks. national treasure, and they deserve our thanks.
Thanks also to Cameron Paul and Thomas Copeland for their reviews and Thanks also to Cameron Paul, Thomas Copeland, Robbie Harwood, Jim
suggestions. Fenton, and Alexey Melnikov for their reviews and suggestions.
Author's Address Author's Address
Sam Whited Sam Whited
Atlanta, GA Atlanta, GA
United States of America United States of America
Email: sam@samwhited.com Email: sam@samwhited.com
URI: https://blog.samwhited.com/ URI: https://blog.samwhited.com/
 End of changes. 6 change blocks. 
11 lines changed or deleted 10 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/