IETF Logo Mail Archive

Re: [Ietf-http-auth] Re: [dix] Notes on Web authentication enhancements

Sam Hartman <hartmans-ietf@mit.edu> Thu, 06 July 2006 20:40 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fyae8-0003Dz-F2; Thu, 06 Jul 2006 16:40:24 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fyae7-0003Du-J5 for dix@ietf.org; Thu, 06 Jul 2006 16:40:23 -0400
Received: from carter-zimmerman.suchdamage.org ([69.25.196.178] helo=carter-zimmerman.mit.edu) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fyae6-0008Sm-95 for dix@ietf.org; Thu, 06 Jul 2006 16:40:23 -0400
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 6817DE0079; Thu, 6 Jul 2006 16:40:46 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: EKR <ekr@networkresonance.com>
Subject: Re: [Ietf-http-auth] Re: [dix] Notes on Web authentication enhancements
References: <20060619220742.40B85222427@laser.networkresonance.com> <tsl3bdoiq9g.fsf@cz.mit.edu> <86mzbqbwjm.fsf@raman.networkresonance.com> <tslk66qa6wi.fsf@cz.mit.edu> <86k66qwmzo.fsf@raman.networkresonance.com>
Date: Thu, 06 Jul 2006 16:40:46 -0400
In-Reply-To: <86k66qwmzo.fsf@raman.networkresonance.com> (Eric Rescorla's message of "Thu, 06 Jul 2006 12:29:31 -0700")
Message-ID: <tslveqa8o1d.fsf@cz.mit.edu>
User-Agent: Gnus/5.110004 (No Gnus v0.4) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: 0.1 (/)
X-Scan-Signature: e5ba305d0e64821bf3d8bc5d3bb07228
Cc: Digital Identity Exchange <dix@ietf.org>, ietf-http-auth@lists.osafoundation.org
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org

>>>>> "Eric" == Eric Rescorla <ekr@networkresonance.com> writes:

    Eric> Sorry, I don't see what you're getting at. PwdHash is
    Eric> specified to use the domain name of the server as the hash
    Eric> salt. RFC 2818 requires that that domain name match the
    Eric> server's certificate. There's nothing additional required.

The additional thing is that the specification of pwdhash uses the
        same naming for servers that tls does and that as pwdhash is
        used, it derives the name of the server it is contacting from
        the same place as TLS (the URI).

Say I replace pwdhash with an authentication scheme where the client
needs to learn from the user an identity for the server to be used at
the TLS layer (the domain name from the URI) and an identity to be
used for my upper layer authentication scheme (derived somewhere
else).

For example, SASL digest effectively names the server based on a
realm.  There's no good mapping between the server's domain name and
the realm.  So, I'm fairly certain that a server could trick you into
giving it a challenge to replay with another server.

I think HTTP digest works approximately the same way.
In this situation, TLS would not be enough to prevent MITM.

Although perhaps the difference here is that I was using a broader
definitiong of hi jacking than you were and my definition included
MITM.



_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix

v2.8.7 | Report a Bug | By Email