IETF Logo Mail Archive

Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation

Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 12 December 2010 07:28 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B39C3A6D75; Sat, 11 Dec 2010 23:28:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.954
X-Spam-Level:
X-Spam-Status: No, score=-102.954 tagged_above=-999 required=5 tests=[AWL=0.645, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fiBC6E4S4MDM; Sat, 11 Dec 2010 23:28:11 -0800 (PST)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by core3.amsl.com (Postfix) with ESMTP id 418D43A69D5; Sat, 11 Dec 2010 23:28:10 -0800 (PST)
Received: by wwa36 with SMTP id 36so5250627wwa.13 for <multiple recipients>; Sat, 11 Dec 2010 23:29:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=4BFdEbuS5k7moTIeZMWDbonXYuvqM+FTh7HK4s3ELV0=; b=R7zZPnIdBOKNp2nPeY3K2NZhjgou7tvoXebnAJFu57k1tGQrLCFj+l0rpZR0asu1S6 2w7t4qH9SMTmg+62Ci7lXDKi8KFqbb4U3GJflfE+2VX4jvyr6NhqzA/nEe0l6QNG+9wf Jf6l+cPirQMhESjYBt+yEvnELn1yt0qMx9xWw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=NUSfE1FKnrB8OjMzRVgLCWMde44hlMwveBcDaHt41pcHQnnk89wsCZhMagUfqgOjXR Zf+GPV9NVwiXT7GAOXfi4tJIs6cL5w36QmIFg5SoO9g2ZTjBOWGrcLT8iglgpe9PJHuG QjEuWGoIbHF99bjbQz2K1rmlXb6r4q6kNy5cY=
Received: by 10.216.50.72 with SMTP id y50mr900755web.28.1292138984263; Sat, 11 Dec 2010 23:29:44 -0800 (PST)
Received: from [10.0.0.1] (bzq-79-181-24-102.red.bezeqint.net [79.181.24.102]) by mx.google.com with ESMTPS id m10sm3466389wbc.16.2010.12.11.23.29.40 (version=SSLv3 cipher=RC4-MD5); Sat, 11 Dec 2010 23:29:42 -0800 (PST)
Message-ID: <4D0479E3.4050508@gmail.com>
Date: Sun, 12 Dec 2010 09:29:39 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: Luke Howard <lukeh@padl.com>
References: <4D02AF81.6000907@stpeter.im> <p06240809c928635499e8@[10.20.30.150]> <ADDEC353-8DE6-408C-BC75-A50B795E2F6C@checkpoint.com> <78BD0B98-0F20-478B-85F1-DBB45691EB0D@padl.com>
In-Reply-To: <78BD0B98-0F20-478B-85F1-DBB45691EB0D@padl.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Sun, 12 Dec 2010 08:17:16 -0800
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, "pgut001@cs.auckland.ac.nz" <pgut001@cs.auckland.ac.nz>, Yoav Nir <ynir@checkpoint.com>, websec <websec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Dec 2010 07:28:12 -0000

Hi Luke,

I am not a big fan of EAP myself (although I am a co-author on Yoav's 
TLS-EAP), but no, for pragmatic reasons SASL is not the moral equivalent.

There is a number of EAP methods that provide zero-knowledge password 
based mutual authentication (i.e. password based auth that's *not* 
susceptible to dictionary attacks). These include (see 
http://www.iana.org/assignments/eap-numbers/eap-numbers.xml#eap-numbers-3): 
EAP-SRP-SHA1, EAP-pwd, EAP-EKE and EAP-SPEKE.

As far as I can see 
(http://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml), 
SASL does not provide any equivalent method.

Thanks,
	Yaron

On 12/12/2010 03:38 AM, Luke Howard wrote:
>
> On 12/12/2010, at 10:10 AM, Yoav Nir wrote:
>
>>
>> On Dec 11, 2010, at 1:09 AM, Paul Hoffman wrote:
>>
>>> At 3:53 PM -0700 12/10/10, Peter Saint-Andre wrote:
>>>> Other than that, I'm not aware of much activity. What have I missed?
>>>
>>> TLS client certificates.
>>
>> TLS client certificates work, but as we've learned both with the web and with IPsec clients, people would much rather not use them. A few IETFs ago (Chicago?), a bunch of us tried to push the idea of TLS with EAP authentication.
>>
>> http://tools.ietf.org/html/draft-nir-tls-eap
>
> Does draft-williams-tls-app-sasl-opt-04.txt + abfab get you the moral equivalent?
>
> -- Luke

v2.23.0 | Report a Bug | By Email