Re: HTTP Mutual-auth proposal status / HTTP AUTH meet-up in Anaheim?
Anthony Bryan <anthonybryan@gmail.com> Thu, 24 December 2009 20:48 UTC
Return-Path: <anthonybryan@gmail.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 237483A6828 for <apps-discuss@core3.amsl.com>; Thu, 24 Dec 2009 12:48:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.529
X-Spam-Level:
X-Spam-Status: No, score=-3.529 tagged_above=-999 required=5 tests=[AWL=-0.930, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2t9x-sEa1Ejw for <apps-discuss@core3.amsl.com>; Thu, 24 Dec 2009 12:48:12 -0800 (PST)
Received: from mail-iw0-f195.google.com (mail-iw0-f195.google.com [209.85.223.195]) by core3.amsl.com (Postfix) with ESMTP id C45E83A659B for <apps-discuss@ietf.org>; Thu, 24 Dec 2009 12:48:12 -0800 (PST)
Received: by iwn33 with SMTP id 33so5886795iwn.29 for <apps-discuss@ietf.org>; Thu, 24 Dec 2009 12:47:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=GBdiAVRXe4AZiiUhcXO5h5IgUVuhMKoevzz316RzY+g=; b=Cuq+9sxcabiqRF30mZiBV+6gCZC3yAqhPc3+8aQUoXJuklpg4P3DwBiPX2UEnTpLPD mr6inadHiBFrECjCzmV4cEpR7H+IW/6NoH+8Phk9yqqIHZWrcBzug99gIhNA4fl0KzdA MeZ4LonniMdSb2ZpZVi4dqGhItZgbQ3tcgGBU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=c2nb8WTDYHWacgYYlPJbv+LVt5ghmcvtlkOawELXouSNCUkL/E6E+iF7sGXiz6muwy U0CvAFEZQD1dUXZp37Kuei5IJ4LRJI3FXenVdZL7NPwDysJrWMz+yd1odm6APyyrtrUr D9HiJZRRldzPKVNfRHbG7kAnCeXNllLBiP+Go=
MIME-Version: 1.0
Received: by 10.231.190.83 with SMTP id g61mr816721iba.6.1261687671550; Thu, 24 Dec 2009 12:47:51 -0800 (PST)
In-Reply-To: <87skb0lifl.fsf@bluewind.rcis.aist.go.jp>
References: <87skb0lifl.fsf@bluewind.rcis.aist.go.jp>
Date: Thu, 24 Dec 2009 15:47:51 -0500
Message-ID: <bb9e09ee0912241247g7924305kc5098909eb92f4d1@mail.gmail.com>
Subject: Re: HTTP Mutual-auth proposal status / HTTP AUTH meet-up in Anaheim?
From: Anthony Bryan <anthonybryan@gmail.com>
To: y.oiwa@aist.go.jp
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: ietf-http-wg@w3.org, apps-discuss@ietf.org
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Dec 2009 20:48:42 -0000
On Thu, Dec 24, 2009 at 6:28 AM, Yutaka OIWA <y.oiwa@aist.go.jp> wrote: > > Our proposed draft spec is available from > <http://tools.ietf.org/html/draft-oiwa-http-mutualauth-05>. > We put a preprint paper on our concept at ArXiv > <http://arxiv.org/abs/0911.5230>, > and a presentation in a past httpbis WG is also available from > <http://tools.ietf.org/agenda/74/slides/httpbis-3.pdf>, > I appreciate your reading and comments on those documents. Hi Yutaka, I can not comment on the technical nature of your draft, but have a few suggestions that might make some sentences flow better. I capitalized words that I changed to draw notice to them, but these would be lowercase in the corrected text. Since I am not that familiar with what you are doing, make sure that these suggestions do not change the intended meaning of your text. They are mostly number or tense changes. 4.6 and 5, p17 diagram, INPUTTED not inputed Unlike THE Basic and Digest HTTP access authentication protocol [RFC2617], THIS protocol ensures that THE server knows the user's entity (encrypted password) upon successful authentication. ...successful authentication to steal THE user's sensitive information, THIS protocol prevents such attacks by providing users a way to... If there is no matching user found, the server SHOULD construct a fake w_B value, and let the protocol GO ON? CONTINUE? by sending A 401-B1 message. If the validation has failed, it means that the authentication has failed. (remove BEEN from has been failed) In a response to a req-B1 message, when C has received a 401-B0 message, it means that the authentication has failed, possibly due to the wrong password BEING given. (remove BEEN from has been failed, remove THAT from due to that the wrong password, change has been given to BEING given) If the verification has SUCCEEDED, C will process the body of the message. Both peers SHOULD reject any invalid UTF-8 sequences which CAUSE decoding ambiguities * C HAS not sent the same value in the same session. Step 7: Check whether there is an available sid for the authentication realm you EXPECT. Any kind of response OTHER than THOSE shown in THE above procedure SHOULD be interpreted as fatal communication error, and in such cases user clients MUST NOT process any data (contents and other content-related headers) sent from the server. 7.1 The value of this field MUST be a string THAT contains an absolute URL location. use of this header with 200-optional-B0 messages IS not recommended. 7.2 The value of this field MUST be a string THAT contains an absolute URL location. This FIELD SHOULD only be used with 200-B4 messages. 7.3 This FIELD will be used with 200-B4 messages. If this condition DOES not hold, the server MUST retry with another value of s_B. Just like Basic and Digest access authentication protocol, Mutual authentication protocol supports multiple, separate authentication realms to be set up inside each HOST. Depending on the "path" parameters given in the "401-B1" message (see Section 4), There may be several CANDIDATES... (lowercase there) In this case, it is difficult for the authenticating server to acquire the TLS key information which IS? used between the client and the proxy. In the Mutual authentication protocol, a session represented by a sid is generated by... (lowecase by) The client MAY send more than one REQUEST using a single session specified by the sid. In addition, for each SESSION,... When the user INPUTS the username and password, the client resends the request with a req-A1 header. If the validation FAILS?, the client MUST NOT process any content sent with the message, including the body part. If user-names have to BE kept secret against eavesdropping, the server must use full-scheme-type auth-domain parameter. Server-side STORAGE of user passwords IS advised... -- (( Anthony Bryan ... Metalink [ http://www.metalinker.org ] )) Easier, More Reliable, Self Healing Downloads