Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation

Josh Howlett <Josh.Howlett@ja.net> Sun, 12 December 2010 08:28 UTC

Return-Path: <Josh.Howlett@ja.net>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BF9493A6D83; Sun, 12 Dec 2010 00:28:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.098
X-Spam-Level:
X-Spam-Status: No, score=-102.098 tagged_above=-999 required=5 tests=[AWL=0.501, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uijQy4we-7Wr; Sun, 12 Dec 2010 00:28:28 -0800 (PST)
Received: from har003676.ukerna.ac.uk (har003676.ukerna.ac.uk [194.82.140.75]) by core3.amsl.com (Postfix) with ESMTP id 845183A6D03; Sun, 12 Dec 2010 00:28:28 -0800 (PST)
Received: from har003676.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 8D3C64A6BAA_D04880AB; Sun, 12 Dec 2010 08:30:02 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by har003676.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 3F5484A6BA3_D0487FFF; Sun, 12 Dec 2010 08:29:51 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi; Sun, 12 Dec 2010 08:30:08 +0000
From: Josh Howlett <Josh.Howlett@ja.net>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Luke Howard <lukeh@padl.com>
Thread-Topic: [kitten] [saag] HTTP authentication: the next generation
Thread-Index: AQHLmca26Q0IJHpixEGWpmc927Vy9JOcaR2AgAAQ5U4=
Date: Sun, 12 Dec 2010 08:30:07 +0000
Message-ID: <jGhYsSkbynPt@hjDJRDbK>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Sun, 12 Dec 2010 08:16:27 -0800
Cc: Josh Howlett <Josh.Howlett@ja.net>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, "pgut001@cs.auckland.ac.nz" <pgut001@cs.auckland.ac.nz>, Yoav Nir <ynir@checkpoint.com>, websec <websec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Dec 2010 08:28:29 -0000

AbFab is defining a GSS EAP mechanism that can encapsulate the EAP methods you mention. This mechanism could be run over SASL-TLS using GS2.

Josh.

--- original message ---
From: "Yaron Sheffer" <yaronf.ietf@gmail.com>
Subject: Re: [kitten] [saag] HTTP authentication: the next generation
Date: 12th December 2010
Time: 7:36:41 am


Hi Luke,

I am not a big fan of EAP myself (although I am a co-author on Yoav's
TLS-EAP), but no, for pragmatic reasons SASL is not the moral equivalent.

There is a number of EAP methods that provide zero-knowledge password
based mutual authentication (i.e. password based auth that's *not*
susceptible to dictionary attacks). These include (see
http://www.iana.org/assignments/eap-numbers/eap-numbers.xml#eap-numbers-3)
EAP-SRP-SHA1, EAP-pwd, EAP-EKE and EAP-SPEKE.

As far as I can see
(http://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml)
SASL does not provide any equivalent method.

Thanks,
        Yaron

On 12/12/2010 03:38 AM, Luke Howard wrote:
>
> On 12/12/2010, at 10:10 AM, Yoav Nir wrote:
>
>>
>> On Dec 11, 2010, at 1:09 AM, Paul Hoffman wrote:
>>
>>> At 3:53 PM -0700 12/10/10, Peter Saint-Andre wrote:
>>>> Other than that, I'm not aware of much activity. What have I missed?
>>>
>>> TLS client certificates.
>>
>> TLS client certificates work, but as we've learned both with the web and with IPsec clients, people would much rather not use them. A few IETFs ago (Chicago?), a bunch of us tried to push the idea of TLS with EAP authentication.
>>
>> http://tools.ietf.org/html/draft-nir-tls-eap
>
> Does draft-williams-tls-app-sasl-opt-04.txt + abfab get you the moral equivalent?
>
> -- Luke
_______________________________________________
Kitten mailing list
Kitten@ietf.org
https://www.ietf.org/mailman/listinfo/kitten

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG