Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation

Phillip Hallam-Baker <hallam@gmail.com> Sat, 08 January 2011 16:19 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0B3AE28C13A; Sat, 8 Jan 2011 08:19:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.426
X-Spam-Level:
X-Spam-Status: No, score=-3.426 tagged_above=-999 required=5 tests=[AWL=0.172, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rv2k8-0ECqSB; Sat, 8 Jan 2011 08:19:36 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by core3.amsl.com (Postfix) with ESMTP id DD14728C116; Sat, 8 Jan 2011 08:19:34 -0800 (PST)
Received: by yxt33 with SMTP id 33so7991387yxt.31 for <multiple recipients>; Sat, 08 Jan 2011 08:21:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=P/kVq8JqTkbriAI2YHZ98j+IH6nPYaKiXLgMS1MrhJg=; b=gj3y71kH8mkwf9cxcnOrEcJQbI+UOFHppgDDPLZGHIdfFFp2xvOoVOpWrXtvD+yUkA +LKTe3Xre6ZFVGT3kLsOPfjpJ4+FCR/k4ryZHG6UBxHuR3hliF/G0Ra32UC7Ftq25kiT CSSObZqQKWywj3P9ZvOUXBi4SBO5ct7i6a2U8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=akVsGITiA3khO4gDCJU1IG1XlVTf0CvbBpjMaP9HTk7XT1qtjcDuiz08xafz+rqNOS +wqrQGZtiyzvfSjsGG6J0XLtD94i1iVJMpQmw12JwA00AmVcNDKtrDrIp3Wm4HuFW/B6 MyZXCnpieOCjP1JWjS/yGhBmH0vu4YVZLrxzI=
MIME-Version: 1.0
Received: by 10.101.67.16 with SMTP id u16mr15882518ank.1.1294503702896; Sat, 08 Jan 2011 08:21:42 -0800 (PST)
Received: by 10.100.31.8 with HTTP; Sat, 8 Jan 2011 08:21:42 -0800 (PST)
In-Reply-To: <AANLkTi=zX+8fd7yZYsOprnJeu7L63GW9L_RzZfFZnH6e@mail.gmail.com>
References: <4D02AF81.6000907@stpeter.im> <p06240809c928635499e8@10.20.30.150> <ADDEC353-8DE6-408C-BC75-A50B795E2F6C@checkpoint.com> <78BD0B98-0F20-478B-85F1-DBB45691EB0D@padl.com> <4D0479E3.4050508@gmail.com> <4D04D7D6.4090105@isode.com> <A23730A9-728B-4533-96D7-0B62496CC98A@checkpoint.com> <4D051731.1020400@isode.com> <2230EA03-32C5-4D34-BC6B-304E813BE3A7@gbiv.com> <AANLkTimWZz-uOQ3whayCgAzHRXJLWh7qYjiqW7h8-MK7@mail.gmail.com> <AANLkTik5wsudwLN=+KzvXoA4MStG2K72fA5giKd2NqGV@mail.gmail.com> <Pine.LNX.4.64.1101060802120.6107@egate.xpasc.com> <AANLkTi=zX+8fd7yZYsOprnJeu7L63GW9L_RzZfFZnH6e@mail.gmail.com>
Date: Sat, 08 Jan 2011 11:21:42 -0500
Message-ID: <AANLkTimL=VdmhWdk3Yi-P5gdiHOOd_JpcgFX_uvBo2=E@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Ben Laurie <benl@google.com>
Content-Type: multipart/alternative; boundary="00163662e65b5f211d049958212f"
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, David Morris <dwm@xpasc.com>, websec <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jan 2011 16:19:38 -0000

On Thu, Jan 6, 2011 at 1:16 PM, Ben Laurie <benl@google.com> wrote:

> On 6 January 2011 16:03, David Morris <dwm@xpasc.com> wrote:
> >
> >
> > On Thu, 6 Jan 2011, Ben Laurie wrote:
> >
> >> The answer to this problem is hard, since it brings us back to taking
> the UI
> >> out of the sites hands.
> >
> > Which is only helpful if you can somehow gaurantee that the user agent
> > software hasn't been compromised. Not something I'd bet on...
>
> That's rather overstating it. It's perfectly helpful when the UA
> software hasn't been compromised, which is a non-zero fraction of the
> time.
>
> When the UA s/w has been compromised I'm quite happy to fail to fix
> the problem: the right answer to that is to improve the robustness of
> the UA.


+1

If the UA is stuffed then the user is totally and utterly stuffed anyway.

In particular if the UA is stuffed then a forms based experience is just as
stuffed. If we are going to hypothecate attack models people have to be
willing to apply them to their preferred solution too.


The sensible approach is to work out how to stop the user from being stuffed
e.g.

 * Comodo's free Anti-Virus with Default Deny Protection (TM)
 * Use code signing + trustworthy computing
 * Use a restricted browser

Now I have a lot of ideas on how we can tackle these, but they are not
relevant to this debate.


I do however have a different take on the UI issue.

HTML forms did have an advantage over the pathetic UI that browsers provided
for BASIC and DIGEST (most don't even tell the user which is in use).

But a federated auth scheme supported at the HTTP level could be simpler
still. Instead of the user having to register for each site, they register
once. Instead of the user having to log in to each site they log in once per
session. Instead of the site having to manage lost passwords and forgotten
accounts because the user has hundreds, this problem does not exist.


It is a user interface crisis that is driving this need in my view.


-- 
Website: http://hallambaker.com/