Re: [apps-discuss] [saag] HTTP authentication: the next generation

"Henry B. Hotz" <hotz@jpl.nasa.gov> Sat, 11 December 2010 02:58 UTC

Return-Path: <hotz@jpl.nasa.gov>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BAA253A6C0C; Fri, 10 Dec 2010 18:58:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id slildIl8V3MP; Fri, 10 Dec 2010 18:58:25 -0800 (PST)
Received: from mail.jpl.nasa.gov (smtp.jpl.nasa.gov [128.149.139.109]) by core3.amsl.com (Postfix) with ESMTP id E18AF3A68B6; Fri, 10 Dec 2010 18:58:25 -0800 (PST)
Received: from laphotz.jpl.nasa.gov (laphotz.jpl.nasa.gov [128.149.133.44]) (authenticated (0 bits)) by smtp.jpl.nasa.gov (Switch-3.4.3/Switch-3.4.3) with ESMTP id oBB2xo8u016846 (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits) verified NO); Fri, 10 Dec 2010 18:59:57 -0800
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
In-Reply-To: <4D02AF81.6000907@stpeter.im>
Date: Fri, 10 Dec 2010 18:59:49 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <F43F12F2-9076-44E5-9058-99BE762E16B6@jpl.nasa.gov>
References: <4D02AF81.6000907@stpeter.im>
To: Peter Saint-Andre <stpeter@stpeter.im>
X-Mailer: Apple Mail (2.1081)
X-Source-IP: laphotz.jpl.nasa.gov [128.149.133.44]
X-Source-Sender: hotz@jpl.nasa.gov
X-AUTH: Authorized
X-Mailman-Approved-At: Sat, 11 Dec 2010 08:09:38 -0800
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, "websec@ietf.org" <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [saag] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Dec 2010 02:58:26 -0000

On Dec 10, 2010, at 2:53 PM, Peter Saint-Andre wrote:

> Is it time to start thinking about next-generation authentication
> technologies for HTTP?

> 1. Way back in 2001, Keith Burdis wrote an I-D about upgrading to SASL
> within HTTP: http://tools.ietf.org/id/draft-burdis-http-sasl-00.txt

I think http://tools.ietf.org/html/draft-williams-tls-app-sasl-opt-04 is the most recent iteration on the concept.  This is at the TLS layer, not the http layer.

As Paul Hoffman said, X.509 client cert's.  In fact one could argue that's the traditional solution and that software support is already widely available.  Some organizations make this more practical by issuing the client certs with KX509.  http://tools.ietf.org/search/draft-hotz-kx509-01 (-; Comments are still desired! ;-)

http://tools.ietf.org/html/rfc4559 (Microsoft's HTTP-Negotiate)  Note that W7/2K8 add channel binding to that, but it's an incompatible upgrade, so it may not get the use it should.

There is also active work in the abfab wg which is related.  Please try to synergise, not compete with that work.

SAML Web-sso

----

IMO there are already enough options which don't do channel binding with the enclosing TLS session.  I believe any solution you propose should either do that, or should operate as part of TLS itself.

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu