Re: [bfcpbis] Kathleen Moriarty's No Objection on draft-ietf-bfcpbis-bfcp-websocket-14: (with COMMENT)
"Ram Mohan R (rmohanr)" <rmohanr@cisco.com> Mon, 30 January 2017 15:12 UTC
Return-Path: <rmohanr@cisco.com>
X-Original-To: bfcpbis@ietfa.amsl.com
Delivered-To: bfcpbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF3E01294C0; Mon, 30 Jan 2017 07:12:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.72
X-Spam-Level:
X-Spam-Status: No, score=-17.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dR8vj3y5nENp; Mon, 30 Jan 2017 07:12:02 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 468351294AA; Mon, 30 Jan 2017 07:12:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4304; q=dns/txt; s=iport; t=1485789122; x=1486998722; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=Tj4kHRYYMhLsBN1oBH5ne4PI9rPFCb1lCA2y7WSNtzU=; b=a6W5uKjsh8VXWtyW4dFscMerwnt+127cDOajKWL8YOOj7J4KCY1ksyN1 aGte1BV0siU7zTA+lLx+RVznLT5RFhrTuBVC3Y7hOMqwn7sJtQlMMAjPE lASDagYco/IYPaH8+F1qqq4ju04hiNMDtk5W/x7ccPjxOhj0K5XKAnTfx w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BOAQAXV49Y/4sNJK1dGQEBAQEBAQEBAQEBBwEBAQEBg1NhgQkHg06KCZIEiAmLGoIPggwqhXgCGoIDPxgBAgEBAQEBAQFiKIRpAQEBBCMRRQwEAgEIEQMBAgMCJgICAh8RFQgIAgQBDQWJSQMVDqpngiWHLA2DOgEBAQEBAQEBAQEBAQEBAQEBAQEBARgFgQuHRYJqglGBShEBBh0xAoJMLoIxBYkCkho4AYZmhwOEEYF5hRWJaYoniFcBHzh2VRVLAYQrHBmBSHUBhgSBIYEMAQEB
X-IronPort-AV: E=Sophos;i="5.33,312,1477958400"; d="scan'208";a="200333910"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 30 Jan 2017 15:12:01 +0000
Received: from XCH-RTP-020.cisco.com (xch-rtp-020.cisco.com [64.101.220.160]) by alln-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id v0UFC17c006512 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 30 Jan 2017 15:12:01 GMT
Received: from xch-rtp-017.cisco.com (64.101.220.157) by XCH-RTP-020.cisco.com (64.101.220.160) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 30 Jan 2017 10:11:59 -0500
Received: from xch-rtp-017.cisco.com ([64.101.220.157]) by XCH-RTP-017.cisco.com ([64.101.220.157]) with mapi id 15.00.1210.000; Mon, 30 Jan 2017 10:12:00 -0500
From: "Ram Mohan R (rmohanr)" <rmohanr@cisco.com>
To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>
Thread-Topic: Kathleen Moriarty's No Objection on draft-ietf-bfcpbis-bfcp-websocket-14: (with COMMENT)
Thread-Index: AQHSccKvjyuyRcnCxUGP9NblC2p5S6FR4uSA
Date: Mon, 30 Jan 2017 15:12:00 +0000
Message-ID: <AF08277D-05E5-4C4F-A9ED-AA4C50C4CD9A@cisco.com>
References: <148476840952.2190.615912845986321795.idtracker@ietfa.amsl.com>
In-Reply-To: <148476840952.2190.615912845986321795.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1a.0.160910
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.65.75.132]
Content-Type: text/plain; charset="utf-8"
Content-ID: <416463C56C5FF44DB826CEA018FB7D8F@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/bfcpbis/IFptMQ3OiN1RY8qjayXgrSoqLEY>
Cc: "bfcpbis@ietf.org" <bfcpbis@ietf.org>, "draft-ietf-bfcpbis-bfcp-websocket@ietf.org" <draft-ietf-bfcpbis-bfcp-websocket@ietf.org>, "Charles Eckel (eckelcu)" <eckelcu@cisco.com>, "bfcpbis-chairs@ietf.org" <bfcpbis-chairs@ietf.org>
Subject: Re: [bfcpbis] Kathleen Moriarty's No Objection on draft-ietf-bfcpbis-bfcp-websocket-14: (with COMMENT)
X-BeenThere: bfcpbis@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: BFCPBIS working group discussion list <bfcpbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bfcpbis/>
List-Post: <mailto:bfcpbis@ietf.org>
List-Help: <mailto:bfcpbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2017 15:12:04 -0000
Hi Kathleen, Please see inline -----Original Message----- From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com> Date: Thursday, 19 January 2017 at 1:10 AM To: The IESG <iesg@ietf.org> Cc: "draft-ietf-bfcpbis-bfcp-websocket@ietf.org" <draft-ietf-bfcpbis-bfcp-websocket@ietf.org>, "Charles Eckel (eckelcu)" <eckelcu@cisco.com>, "bfcpbis-chairs@ietf.org" <bfcpbis-chairs@ietf.org>, "Charles Eckel (eckelcu)" <eckelcu@cisco.com>, "bfcpbis@ietf.org" <bfcpbis@ietf.org> Subject: Kathleen Moriarty's No Objection on draft-ietf-bfcpbis-bfcp-websocket-14: (with COMMENT) Resent-From: <alias-bounces@ietf.org> Resent-To: <anton.roman@quobis.com>, <stephane.cazeaux@orange.com>, <gsalguei@cisco.com>, <sergio.garcia.murillo@gmail.com>, <rmohanr@cisco.com>, <victor.pascual.avila@oracle.com> Resent-Date: Thursday, 19 January 2017 at 1:10 AM Kathleen Moriarty has entered the following ballot position for draft-ietf-bfcpbis-bfcp-websocket-14: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-bfcpbis-bfcp-websocket/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I agree with Alexey's comment on section 8. If fallback to HTTP authentication happens, the implementer should be aware of the weaknesses in HTTP basic [RFC7617] and digest [RFC7616] spelled out in the respective security considerations sections. The HTTPAuth WG put out a few experimental RFCs with methods to eliminate some of the weaknesses, like HOBA [RFC7486] that gets rid of the need for passwords. Adding this detail would be helpful. <Ram> Does this text looks ok ? EXISTING: If the status code received from the server is not 101, the WebSocket client stack handles the response per HTTP [RFC7230] procedures, in particular the client might perform authentication if it receives 401 status code. NEW: If the status code received from the server is not 101, the WebSocket client stack handles the response per HTTP [RFC7230] procedures, in particular the client might perform authentication if it receives 401 status code. The WebSocket clients are vulnerable to the attacks of basic authentication (mentioned in Section 4 of [RFC7617]) and digest authentication (mentioned in Section 5 of [RFC7616]). To overcome some of these weakness, the WebSocket clients can use HTTP Origin-Bound Authentication (HOBA) mechanism mentioned in [RFC7486].
- [bfcpbis] Kathleen Moriarty's No Objection on dra… Kathleen Moriarty
- Re: [bfcpbis] Kathleen Moriarty's No Objection on… Ram Mohan R (rmohanr)
- Re: [bfcpbis] Kathleen Moriarty's No Objection on… Kathleen Moriarty
- Re: [bfcpbis] Kathleen Moriarty's No Objection on… Ram Mohan R (rmohanr)
- Re: [bfcpbis] Kathleen Moriarty's No Objection on… Kathleen Moriarty