Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation

Josh Howlett <Josh.Howlett@ja.net> Sun, 12 December 2010 09:15 UTC

Return-Path: <Josh.Howlett@ja.net>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C51F33A6C70; Sun, 12 Dec 2010 01:15:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.181
X-Spam-Level:
X-Spam-Status: No, score=-102.181 tagged_above=-999 required=5 tests=[AWL=0.418, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCxxAMcVq9eP; Sun, 12 Dec 2010 01:15:18 -0800 (PST)
Received: from har003676.ukerna.ac.uk (har003676.ukerna.ac.uk [194.82.140.75]) by core3.amsl.com (Postfix) with ESMTP id 514483A6D8E; Sun, 12 Dec 2010 01:15:18 -0800 (PST)
Received: from har003676.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id F0B604A6B4E_D049304B; Sun, 12 Dec 2010 09:16:52 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by har003676.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id 9E1374A6BA3_D0492F9F; Sun, 12 Dec 2010 09:16:41 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi; Sun, 12 Dec 2010 09:16:58 +0000
From: Josh Howlett <Josh.Howlett@ja.net>
To: Yoav Nir <ynir@checkpoint.com>, Yaron Sheffer <yaronf.ietf@gmail.com>, Luke Howard <lukeh@padl.com>
Thread-Topic: [kitten] [saag] HTTP authentication: the next generation
Thread-Index: AQHLmca26Q0IJHpixEGWpmc927Vy9JOcaR2AgAAQ5U6AAAIIsIAACxBo
Date: Sun, 12 Dec 2010 09:16:58 +0000
Message-ID: <FjnZpRq2xXW0@2FZ3bJc9>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Sun, 12 Dec 2010 08:16:57 -0800
Cc: Josh Howlett <Josh.Howlett@ja.net>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, "pgut001@cs.auckland.ac.nz" <pgut001@cs.auckland.ac.nz>, websec <websec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Dec 2010 09:15:19 -0000

Right, HTTP authentication is out of Abfab's scope. My point was that Abfab is doing stuff that may nonetheless be useful for some other effort looking at the problem.

I agree with your observation re federation, but note that EAP authentication does not imply federation.

Josh.

--- original message ---
From: "Yoav Nir" <ynir@checkpoint.com>
Subject: RE: [kitten] [saag] HTTP authentication: the next generation
Date: 12th December 2010
Time: 8:42:08 am


To quote from Abfab's charter:

                 This working group will specify a federated identity
  mechanism for use by other Internet protocols not based on HTML/HTTP,

For just adding authentication to HTTP, I don't think it makes sense to add federation. All kinds of services such as web mail, online gaming, and online shopping require authentication, but there's no federation involved.

-----Original Message-----
From: Josh Howlett [mailto:Josh.Howlett@ja.net]
Sent: 12 December 2010 10:30
To: Yaron Sheffer; Luke Howard
Cc: apps-discuss@ietf.org; pgut001@cs.auckland.ac.nz; Yoav Nir; websec; Paul Hoffman; kitten@ietf.org; http-auth@ietf.org; saag@ietf.org; Hannes Tschofenig; Josh Howlett; ietf-http-wg@w3.org Group
Subject: Re: [kitten] [saag] HTTP authentication: the next generation

AbFab is defining a GSS EAP mechanism that can encapsulate the EAP methods you mention. This mechanism could be run over SASL-TLS using GS2.

Josh.

--- original message ---
From: "Yaron Sheffer" <yaronf.ietf@gmail.com>
Subject: Re: [kitten] [saag] HTTP authentication: the next generation
Date: 12th December 2010
Time: 7:36:41 am


Hi Luke,

I am not a big fan of EAP myself (although I am a co-author on Yoav's TLS-EAP), but no, for pragmatic reasons SASL is not the moral equivalent.

There is a number of EAP methods that provide zero-knowledge password based mutual authentication (i.e. password based auth that's *not* susceptible to dictionary attacks). These include (see
http://www.iana.org/assignments/eap-numbers/eap-numbers.xml#eap-numbers-3)
EAP-SRP-SHA1, EAP-pwd, EAP-EKE and EAP-SPEKE.

As far as I can see
(http://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml)
SASL does not provide any equivalent method.

Thanks,
        Yaron

On 12/12/2010 03:38 AM, Luke Howard wrote:
>
> On 12/12/2010, at 10:10 AM, Yoav Nir wrote:
>
>>
>> On Dec 11, 2010, at 1:09 AM, Paul Hoffman wrote:
>>
>>> At 3:53 PM -0700 12/10/10, Peter Saint-Andre wrote:
>>>> Other than that, I'm not aware of much activity. What have I missed?
>>>
>>> TLS client certificates.
>>
>> TLS client certificates work, but as we've learned both with the web and with IPsec clients, people would much rather not use them. A few IETFs ago (Chicago?), a bunch of us tried to push the idea of TLS with EAP authentication.
>>
>> http://tools.ietf.org/html/draft-nir-tls-eap
>
> Does draft-williams-tls-app-sasl-opt-04.txt + abfab get you the moral equivalent?
>
> -- Luke
_______________________________________________
Kitten mailing list
Kitten@ietf.org
https://www.ietf.org/mailman/listinfo/kitten

JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG


Scanned by Check Point Total Security Gateway.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG