Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation
Alexey Melnikov <alexey.melnikov@isode.com> Sun, 12 December 2010 14:09 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C9AFD3A6DC1; Sun, 12 Dec 2010 06:09:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.804
X-Spam-Level:
X-Spam-Status: No, score=-102.804 tagged_above=-999 required=5 tests=[AWL=-0.205, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7RKNwzBRmOBT; Sun, 12 Dec 2010 06:09:08 -0800 (PST)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id ED60D3A6DBE; Sun, 12 Dec 2010 06:09:07 -0800 (PST)
Received: from [192.168.0.102] ((unknown) [109.73.6.25]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <TQTX4AAbxQ4q@rufus.isode.com>; Sun, 12 Dec 2010 14:10:42 +0000
X-SMTP-Protocol-Errors: NORDNS
Message-ID: <4D04D7D6.4090105@isode.com>
Date: Sun, 12 Dec 2010 17:10:30 +0300
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Yaron Sheffer <yaronf.ietf@gmail.com>
References: <4D02AF81.6000907@stpeter.im> <p06240809c928635499e8@[10.20.30.150]> <ADDEC353-8DE6-408C-BC75-A50B795E2F6C@checkpoint.com> <78BD0B98-0F20-478B-85F1-DBB45691EB0D@padl.com> <4D0479E3.4050508@gmail.com>
In-Reply-To: <4D0479E3.4050508@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Sun, 12 Dec 2010 08:16:45 -0800
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, "pgut001@cs.auckland.ac.nz" <pgut001@cs.auckland.ac.nz>, Yoav Nir <ynir@checkpoint.com>, websec <websec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, Luke Howard <lukeh@padl.com>, "saag@ietf.org" <saag@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Dec 2010 14:09:10 -0000
Yaron Sheffer wrote: > Hi Luke, > > I am not a big fan of EAP myself (although I am a co-author on Yoav's > TLS-EAP), but no, for pragmatic reasons SASL is not the moral equivalent. > > There is a number of EAP methods that provide zero-knowledge password > based mutual authentication (i.e. password based auth that's *not* > susceptible to dictionary attacks). These include (see > http://www.iana.org/assignments/eap-numbers/eap-numbers.xml#eap-numbers-3) > EAP-SRP-SHA1, EAP-pwd, EAP-EKE and EAP-SPEKE. > > As far as I can see > (http://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml) > SASL does not provide any equivalent method. There is an expired SASL SRP draft, which can be revived, if needed. > Thanks, > Yaron > > On 12/12/2010 03:38 AM, Luke Howard wrote: > >> On 12/12/2010, at 10:10 AM, Yoav Nir wrote: >> >>> On Dec 11, 2010, at 1:09 AM, Paul Hoffman wrote: >>> >>>> At 3:53 PM -0700 12/10/10, Peter Saint-Andre wrote: >>>> >>>>> Other than that, I'm not aware of much activity. What have I missed? >>>> >>>> >>>> TLS client certificates. >>> >>> >>> TLS client certificates work, but as we've learned both with the web >>> and with IPsec clients, people would much rather not use them. A few >>> IETFs ago (Chicago?), a bunch of us tried to push the idea of TLS >>> with EAP authentication. >>> >>> http://tools.ietf.org/html/draft-nir-tls-eap >> >> >> Does draft-williams-tls-app-sasl-opt-04.txt + abfab get you the moral >> equivalent? >> >> -- Luke >
- Re: [apps-discuss] HTTP authentication: the next … Mark Nottingham
- [apps-discuss] HTTP authentication: the next gene… Peter Saint-Andre
- Re: [apps-discuss] [saag] HTTP authentication: th… Paul Hoffman
- Re: [apps-discuss] [kitten] HTTP authentication: … Nicolas Williams
- Re: [apps-discuss] [saag] HTTP authentication: th… Henry B. Hotz
- Re: [apps-discuss] [websec] HTTP authentication: … Marsh Ray
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Josh Howlett
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Alexey Melnikov
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Josh Howlett
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Luke Howard
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yaron Sheffer
- Re: [apps-discuss] [saag] HTTP authentication: th… Yoav Nir
- Re: [apps-discuss] [saag] HTTP authentication: th… Yoav Nir
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yoav Nir
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yoav Nir
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Alexey Melnikov
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Eliot Lear
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Roy T. Fielding
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Cridland
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Cridland
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Eliot Lear
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Carsten Bormann
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Eliot Lear
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Cridland
- Re: [apps-discuss] [websec] HTTP authentication: … Julian Reschke
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Adrien de Croy
- Re: [apps-discuss] [saag] [kitten] HTTP authentic… Alan DeKok
- Re: [apps-discuss] [websec] [saag] HTTP authentic… Ben Laurie
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Raggett
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Marsh Ray
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Tim Morgan
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Yaron Sheffer
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yoav Nir
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Yoav Nir
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Yoav Nir
- Re: [apps-discuss] [http-auth] [websec] [saag] [k… Henry B. Hotz
- Re: [apps-discuss] [http-auth] [websec] [saag] HT… Henry B. Hotz
- Re: [apps-discuss] [websec] [saag] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Nicolas Williams
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Nicolas Williams
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Steven Bellovin
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … John C Klensin
- Re: [apps-discuss] [http-auth] [websec] HTTP auth… Tim Morgan
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … John C Klensin
- Re: [apps-discuss] [saag] [kitten] HTTP authentic… Joel Jaeggli
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … der Mouse
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… der Mouse
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… Tim
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Adrien de Croy
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Nathan
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Adrien de Croy
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Josh Howlett
- Re: [apps-discuss] [websec] [saag] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Jeffrey Hutzelman
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Ben Laurie
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … David Morris
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Robert Sayre
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Tim
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [websec] [saag] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … der Mouse
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Blaine Cook
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Blaine Cook
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Blaine Cook
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Theodore Tso