Markdown Version | Session Recording

Session Date/Time: 17 Mar 2025 08:30

kitten

Summary

The KITTEN working group meeting focused on discussions around two-factor authentication and related topics. Key areas included quick re-authentication mechanisms, particularly H.T family and "Remember Me", the Sassel Paskey draft, and updates on SCRAM for 2FA. The meeting also featured a presentation on passkey authentication and its potential application in email clients. A significant portion of the discussion was dedicated to the challenges and possibilities of using passkeys with generic mail user agents.

Key Discussion Points

• Passkey Authentication (Sassel Paskey):

  • The group discussed the benefits of passkeys for users, client implementers, server implementers, and administrators, comparing them to passwords and OAuth 2.
  • Ben Boks and Stephen Farrell presented a proposal for using Sassel Paskey for initial setup of mail clients followed by "Remember Me" tokens for continuous re-authentication.
  • There was a debate on whether generic mail user agents (like Thunderbird) can effectively use passkeys, especially concerning origin and relying party concepts in WebAuthn.
  • Tim Cabali raised concerns about mail apps not being entitled to signatures for origins they don't own and suggested using established OAuth patterns for third-party authentication.
  • Dean Sacks suggested engaging with the FIDO Alliance to align with the broader passkey ecosystem.

• Sassel Hash Token (Sassel HT):

  • Florian presented an update on the Sassel HT mechanism for quick connection re-establishment, particularly in XMPP.
  • The presentation covered the token-based approach, hashing with TLS channel binding data, and the mechanism's current state and adoption in XMPP.
  • The discussion touched upon a wire format change in the latest draft and how to handle existing deployments.
  • Arndt raised concerns about the mechanism's reliance on a single TCP connection and its implications for happy eyeballs and multiple connections.
  • The group considered the appropriate token invalidation policy after single or multiple uses.
  • Discussion was brought up about integrating zero RTT data to speed up reconnection

Decisions and Action Items

• Sassel Paskey: Experimentation is required to determine if this system is viable or not.
• Sassel HT: Decide on how to deal with the wire format change (rename mechanism or expect fallback). Email discussion is required.

Next Steps

• Continue discussion on Sassel Paskey and Sassel HT on the mailing list.
• Evaluate interest in an interim online meeting within the next month to further discuss Sassel HT.
• Investigate quickly authentication mechanisms.