[http-auth] First review of the Rest-Auth draft
Yoav Nir <ynir@checkpoint.com> Tue, 05 November 2013 08:14 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCD2621E8087 for <http-auth@ietfa.amsl.com>; Tue, 5 Nov 2013 00:14:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.921
X-Spam-Level:
X-Spam-Status: No, score=-9.921 tagged_above=-999 required=5 tests=[AWL=-0.522, BAYES_00=-2.599, J_CHICKENPOX_12=0.6, J_CHICKENPOX_17=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wcSUQXBUOCgX for <http-auth@ietfa.amsl.com>; Tue, 5 Nov 2013 00:14:04 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 3036621E809C for <http-auth@ietf.org>; Tue, 5 Nov 2013 00:14:03 -0800 (PST)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id rA58A1I7007006 for <http-auth@ietf.org>; Tue, 5 Nov 2013 10:14:02 +0200
X-CheckPoint: {5278A67A-2-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.106]) by DAG-EX10.ad.checkpoint.com ([169.254.3.213]) with mapi id 14.03.0123.003; Tue, 5 Nov 2013 10:13:52 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "http-auth@ietf.org" <http-auth@ietf.org>
Thread-Topic: First review of the Rest-Auth draft
Thread-Index: AQHO2f72X3rY8XRT1kSBqcr+zTyMwg==
Date: Tue, 05 Nov 2013 08:13:51 +0000
Message-ID: <B5942D74-1A54-4DBD-AC8F-37887226343E@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.21.53]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-ID: <280FD21046CE4A439354FC60E5BB14E5@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [http-auth] First review of the Rest-Auth draft
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2013 08:14:11 -0000
Hi
I have reviewed draft-ietf-httpauth-rest-auth-01. This is done with no hats - it is not a SecDir review, nor a chair or shepherd review. My comments have no more or less weight than those of any other participant.
The proposal moves the authentication outside of the HTTP layer, and into the application layer. The benefits of this are:
1. Works through unmodified routers and proxies (including TLS proxies)
2. Creates a resource that represents the session, and can be deleted for a logout.
3. Can re-use many existing mechanisms.
4. RESTful, so it supports clustering.
5. Easily implemented in application interfaces such as CGI, FastCGI, and others.
It should be noted that all this information is in the Abstract, and most of it should probably be moved to the Introduction (section 1).
Section 1.1 has a longish review of the state of authentication on the web. We could probably do without it, but as long as it's confined to that one section, we can leave it at that, but discussion of alternative methods also fills up section 2.
Section 1.2 outlines the protocol, and section 1.3 discusses API constraints. The interesting stuff (the protocol) begins in section 3, about a third of the way through the document.
I find section 3 clear, although I would have rather had the examples close by rather than all the way down in section 7. Nit: section 3.1 refers to the ABNF in the previous section, but the ABNF has moved to section 3.1.2.
I would have liked to see examples for and within each sub-section of section 3, because those help me make sense of things better than ABNF.
Section 6 describes how the server side of Rest-Auth can be done with a single server, multiple server or an HTTP "router". For the multi-server case, it is assumed that they will have some shared media on which to store the resource representing the session. This is indicated by the three words (many servers) "sharing server state". I think that this requirement should be stated more explicitly. For a static site, a cluster could consist of several replicated servers. Not so for a site implementing Rest-Auth.
Section 7 finally has the example to make this all fall into place. However, looking at figure 3, there is one thing that's still missing: How does the client get the resource. See the first transaction in figure 3 looks like this:
C->S: GET /some-resources HTTP/1.1
Host: A.example
S->C: HTTP/1.1 401 Unauthorized
WWW-Authenticate: RA-SA-SCRAM-SHA-1 \
http://A.example/rest-sa-scram \
s=session-ID,MIC r=no
WWW-ChannelBinding-Types: tls-server-end-point
And the last one looks like this:
S->C: HTTP/1.1 200
Content-Type: application/octet-stream
Content-Length: nnn
v=rmF9pqV8S7suAoZWja4dJRkFsKQ=
Content-Type: application/octet-stream
So the authentication process created some SCRAM-specific parameter "v", and a resource called "/restauth-9d0af5f680d4ff46". When the client tries again to fetch "/some-resources", what data should be passed in the Authorization header?
Section 8 looks good.
Yoav