Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation

Yoav Nir <ynir@checkpoint.com> Sun, 12 December 2010 08:40 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C62523A6D89; Sun, 12 Dec 2010 00:40:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.413
X-Spam-Level:
X-Spam-Status: No, score=-9.413 tagged_above=-999 required=5 tests=[AWL=1.186, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iy4+jBAiaJoV; Sun, 12 Dec 2010 00:40:01 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by core3.amsl.com (Postfix) with ESMTP id 0CB0E3A6D03; Sun, 12 Dec 2010 00:40:00 -0800 (PST)
X-CheckPoint: {4D048ABF-0-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id oBC8fOCj014846; Sun, 12 Dec 2010 10:41:24 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Sun, 12 Dec 2010 10:41:24 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: 'Josh Howlett' <Josh.Howlett@ja.net>, Yaron Sheffer <yaronf.ietf@gmail.com>, Luke Howard <lukeh@padl.com>
Date: Sun, 12 Dec 2010 10:41:23 +0200
Thread-Topic: [kitten] [saag] HTTP authentication: the next generation
Thread-Index: AQHLmca26Q0IJHpixEGWpmc927Vy9JOcaR2AgAAQ5U6AAAIIsA==
Message-ID: <006FEB08D9C6444AB014105C9AEB133F012E6FCD449F@il-ex01.ad.checkpoint.com>
References: <jGhYsSkbynPt@hjDJRDbK>
In-Reply-To: <jGhYsSkbynPt@hjDJRDbK>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Sun, 12 Dec 2010 08:17:42 -0800
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, "pgut001@cs.auckland.ac.nz" <pgut001@cs.auckland.ac.nz>, websec <websec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Dec 2010 08:40:02 -0000

To quote from Abfab's charter:

                 This working group will specify a federated identity
  mechanism for use by other Internet protocols not based on HTML/HTTP, 

For just adding authentication to HTTP, I don't think it makes sense to add federation. All kinds of services such as web mail, online gaming, and online shopping require authentication, but there's no federation involved. 

-----Original Message-----
From: Josh Howlett [mailto:Josh.Howlett@ja.net] 
Sent: 12 December 2010 10:30
To: Yaron Sheffer; Luke Howard
Cc: apps-discuss@ietf.org; pgut001@cs.auckland.ac.nz; Yoav Nir; websec; Paul Hoffman; kitten@ietf.org; http-auth@ietf.org; saag@ietf.org; Hannes Tschofenig; Josh Howlett; ietf-http-wg@w3.org Group
Subject: Re: [kitten] [saag] HTTP authentication: the next generation

AbFab is defining a GSS EAP mechanism that can encapsulate the EAP methods you mention. This mechanism could be run over SASL-TLS using GS2.

Josh.

--- original message ---
From: "Yaron Sheffer" <yaronf.ietf@gmail.com>
Subject: Re: [kitten] [saag] HTTP authentication: the next generation
Date: 12th December 2010
Time: 7:36:41 am


Hi Luke,

I am not a big fan of EAP myself (although I am a co-author on Yoav's TLS-EAP), but no, for pragmatic reasons SASL is not the moral equivalent.

There is a number of EAP methods that provide zero-knowledge password based mutual authentication (i.e. password based auth that's *not* susceptible to dictionary attacks). These include (see
http://www.iana.org/assignments/eap-numbers/eap-numbers.xml#eap-numbers-3)
EAP-SRP-SHA1, EAP-pwd, EAP-EKE and EAP-SPEKE.

As far as I can see
(http://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml)
SASL does not provide any equivalent method.

Thanks,
        Yaron

On 12/12/2010 03:38 AM, Luke Howard wrote:
>
> On 12/12/2010, at 10:10 AM, Yoav Nir wrote:
>
>>
>> On Dec 11, 2010, at 1:09 AM, Paul Hoffman wrote:
>>
>>> At 3:53 PM -0700 12/10/10, Peter Saint-Andre wrote:
>>>> Other than that, I'm not aware of much activity. What have I missed?
>>>
>>> TLS client certificates.
>>
>> TLS client certificates work, but as we've learned both with the web and with IPsec clients, people would much rather not use them. A few IETFs ago (Chicago?), a bunch of us tried to push the idea of TLS with EAP authentication.
>>
>> http://tools.ietf.org/html/draft-nir-tls-eap
>
> Does draft-williams-tls-app-sasl-opt-04.txt + abfab get you the moral equivalent?
>
> -- Luke
_______________________________________________
Kitten mailing list
Kitten@ietf.org
https://www.ietf.org/mailman/listinfo/kitten

JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG


Scanned by Check Point Total Security Gateway.