Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation

Phillip Hallam-Baker <> Wed, 22 December 2010 18:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0ADE23A6A5E; Wed, 22 Dec 2010 10:09:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.802
X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5 tests=[AWL=-0.404, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_36=0.6, J_CHICKENPOX_48=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bOAdsWMLNZPB; Wed, 22 Dec 2010 10:09:50 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id B4FF63A6909; Wed, 22 Dec 2010 10:09:49 -0800 (PST)
Received: by yxt33 with SMTP id 33so2525129yxt.31 for <multiple recipients>; Wed, 22 Dec 2010 10:11:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=mgKG9c/gWb6yXrkNacHqTGcIIEx1fZwdJJ2oemn7EBE=; b=ouWRplaVcxdpWHtQknwuz/4RfsDgTv5PCyZYgV/Z0CrvuSBUxfEbCSs8pRscEu9eW7 IEyno24F4oT8WrMwQyUvldBSOKDnnd7XNxy8CgXOwzEZJs2TqNws4T4Y8/63HMEABJoC YGPtV2ct38z60i8WYDotABc42sBc2aAounMSo=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=V2DkssJFO1EzI+GoRXLSjxB86w5n3uEIPiCbjDvXvrY+LuKGwndt4k2QGQs/lditlp HXviFBtABeaLsqWoEkDQPgB6Au503ToQdEGp1LZVRamJlJbNVmH/9aepavlxD/883VUV WPVKauUGDFpkeGle8otm8Z0snefpwPfQ16vgE=
MIME-Version: 1.0
Received: by with SMTP id t1mr4377735anb.137.1293041508118; Wed, 22 Dec 2010 10:11:48 -0800 (PST)
Received: by with HTTP; Wed, 22 Dec 2010 10:11:47 -0800 (PST)
In-Reply-To: <>
References: <> <p06240809c928635499e8@> <> <> <> <> <> <> <> <> <2229.1292235952.971571@puncture> <> <2229.1292239384.281779@puncture> <> <2229.1292253372.639419@puncture> <> <1292958219.2800.22.camel@destiny> <>
Date: Wed, 22 Dec 2010 18:11:47 +0000
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Jeffrey Hutzelman <>
Content-Type: multipart/alternative; boundary="0016e644caf0c57c01049803af96"
Cc: General discussion of application-layer protocols <>, websec <>, Common Authentication Technologies - Next Generation <>, "" <>, "" <>, " Group" <>
Subject: Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Dec 2010 18:09:52 -0000

[We seem to have dropped off the mailing lists, Jeffrey suggested I post
this which shows where we ended up.]

On Wed, Dec 22, 2010 at 3:02 AM, Jeffrey Hutzelman <>wrote:

> On Wed, 2010-12-22 at 02:08 +0000, Phillip Hallam-Baker wrote:
> > No, there is no reliance on DNSSEC here, ideally the relationship is
> > authenticated end-to-end using an EV cert.
> >
> >
> > DNSSEC would be acceptable however.
> >
> I don't follow.  Your example shows an advertisement to service
> providers that users from can be authenticated to the SP by
> using one of two authentication services.

Yes, it is assumed that there is some means of authenticating this binding,
I did not specify what.

>  Unless I'm misunderstanding
> you, this is about how the SP knows who to trust, and _not_ about how
> the user's software talks to the user's identity provider.  Thus EV is
> really mostly irrelevant, since EV is about being able to make claims
> that are really only meaningful when the relying party is controlled by
> a human (the green bar is pretty, but I've yet to see an email server
> that evaluates users' credentials on the basis of what color location
> bar it sees).

You do not understand the purpose of EV then.

EV is about accountability. The green bar is displayed because the issuer
applied validation practices that ensure a measure of accountability.

> So, to accept a user's credentials, the SP needs to know two things:
> 1) Is the assertion of user identity authentic?
> 2) Does the assertion of user identity come from an authorized entity?
> The answer to (1) is provided by the authentication protocol in use,
> which may well be public-key based.  But that's not the part I'm worried
> about.
> I am worried about (2).  You show an example of one way to answer part
> or all of (2).  But you don't show how that answer is itself
> authenticated.  DNSSEC is certainly an acceptable answer to that, modulo
> a whole bunch of conditions and issues that I'm willing to handwave
> away, for now.  But I don't think it can be the _only_ answer, for
> reasons I've already raised.  So, what's the other answer?

If there is a federated mechanism, there is going to have to be some
registry of federation points available somewhere. We could use
fred#facebook, jim#google and so on. But if there are friendly user
identifiers and multiple auth providers there are going to be multiple
repositories to disambiguate.

So there is going to be some PKI involved however you do it.

My preference is to use DNS for the signaling layer and DNSSEC to
authenticate the in-zone data. How you authenticate the server when you
arrive at it is another matter entirely.

My view is that authentication providers should be considered to require
substantial levels of infrastructure and planning. I totally reject the view
floated in OpenID that it should be a design requirement that some fred in a
shed can whack an authentication provider together from some Perl scripts
without even bothering to upgrade to a recent version of perl.

> >         I'd be much happier to see a model wherein, at registration
> >         time, I tell
> >         a service my public key, and then it uses public-key
> >         cryptography to
> >         authenticate me in the future.  Unfortunately, there are a
> >         number of
> >         practical problems there, such as dealing with multiple
> >         clients per
> >         user, kiosks, reinstalling machines, stolen credentials, etc.,
> >         and it's
> >         really preferable to avoid having every service provider deal
> >         with those
> >         issues, rather than a much smaller number of authentication
> >         providers.
> >
> > Raw public keys work less well than people think here.
> >
> Raw public keys, usually wrapped in the completely unnecessary trappings
> of a self-signed certificate, work surprisingly well in a wide variety
> of circumstances.  But they basically require first-order one-to-one
> relationships between every client and every service provider, with all
> the trappings required to deal with loss or compromise of the key, and
> that simply doesn't scale to the Internet.

CardSpace works perfectly well as a method of authenticating the client to
the authentication service. Less well as a means of federated

Various people have proposed 'CardSpace' in the cloud. Which sounds really
convincing until you realize that they have not thought the problem through
at all.

> > To make a binding to a person you need infrastructure like I am
> > describing here.
> >
> Not necessarily.  I could imagine an infrastructure in which a user
> authenticates to some key-management service, which then hands the user
> his private key (the key belongs to the user, not the key-management
> service, so revealing it to the user is OK).  The user then uses that
> key for authentication with whatever other services he wants.  In fact,
> to services other than the key-management service, this is
> indistinguishable from the user having had the key all along.  Of
> course, it does involve the user handing his private key to some other
> service, which has its own problems.

I don't like that approach because in my view a private key is something
that should only ever exist in one place where it is created and later

I prefer an approach where the client-authentication provider authentication
uses whatever tool is best and then the authentication provider supplies
some form of token that can be used for authentication to at least one third

That token could use public key, but symmetric is sufficient and more