Re: [http-auth] Alissa Cooper's No Objection on draft-ietf-httpauth-hoba-09: (with COMMENT)
Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Thu, 08 January 2015 00:39 UTC
Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC9841A8777; Wed, 7 Jan 2015 16:39:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.01
X-Spam-Level:
X-Spam-Status: No, score=-0.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mJzELnY53-Ko; Wed, 7 Jan 2015 16:39:21 -0800 (PST)
Received: from mail-lb0-x234.google.com (mail-lb0-x234.google.com [IPv6:2a00:1450:4010:c04::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39EED1AC3B4; Wed, 7 Jan 2015 16:39:20 -0800 (PST)
Received: by mail-lb0-f180.google.com with SMTP id l4so381507lbv.11; Wed, 07 Jan 2015 16:39:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=SUYbW+mBDGAFLDIyI93gpk/SZFb+Qaj6Pxmk1JgpYCU=; b=mnYxrrxT/pQiAzX22fcFJRZtViWzzpxklEnVftifXrd+rCuN8yL9fxicVg0OYqkiRv QYxqkTuggssPWWxU20Q0bK/f7nPam1Iowvy1K6e4KLsRpma0emko7PgRs7as2CmekXvN wRornvk7AU6cSHGS2w34IP/6ydPZ50KNvzFTXeHj3nyN87+bPbqaITSVYkiiN0CuCgls TCNq1xDYk2L3mfyGubvWz/P/3VusezWGXLCZD9eREsUH5Xo6dElDj8aGdv06BMsfFg3f MHH8+/ylDJgRE59w0gt+l9VwWy9eDErZyHsjh0YPosvzBn4rYmpT+dbPSxqJ9zLyN13S scSg==
MIME-Version: 1.0
X-Received: by 10.112.188.201 with SMTP id gc9mr9525798lbc.6.1420677557647; Wed, 07 Jan 2015 16:39:17 -0800 (PST)
Received: by 10.152.185.195 with HTTP; Wed, 7 Jan 2015 16:39:17 -0800 (PST)
Received: by 10.152.185.195 with HTTP; Wed, 7 Jan 2015 16:39:17 -0800 (PST)
In-Reply-To: <54ADBD79.4090201@cs.tcd.ie>
References: <20150107222027.18377.83227.idtracker@ietfa.amsl.com> <54ADBD79.4090201@cs.tcd.ie>
Date: Wed, 07 Jan 2015 18:39:17 -0600
Message-ID: <CAKKJt-fRX=upmtEAW5s1bFs0=zK0BV1JvWnkqkPKQFxR0kHW2g@mail.gmail.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="001a11c3736629feb8050c19457e"
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/1ao0m-L7YkdyqxCvJDOchmaAG6A
Cc: httpauth-chairs@tools.ietf.org, draft-ietf-httpauth-hoba.all@tools.ietf.org, Alissa Cooper <alissa@cooperw.in>, http-auth@ietf.org, iesg@ietf.org
Subject: Re: [http-auth] Alissa Cooper's No Objection on draft-ietf-httpauth-hoba-09: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jan 2015 00:39:45 -0000
On Jan 8, 2015 7:13 AM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote: > > > > Hiya, > > Two non-trivial changes here, see below, but also please check that > though, working copy is at [1], diff vs. -09 at [2] as usual. > > [1] https://down.dsg.cs.tcd.ie/misc/draft-ietf-httpauth-hoba-10.txt > [2] > https://tools.ietf.org/rfcdiff?url1=draft-ietf-httpauth-hoba-09.txt&url2=https://down.dsg.cs.tcd.ie/misc/draft-ietf-httpauth-hoba-10.txt > > On 07/01/15 22:20, Alissa Cooper wrote: > > Alissa Cooper has entered the following ballot position for > > draft-ietf-httpauth-hoba-09: No Objection > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > http://datatracker.ietf.org/doc/draft-ietf-httpauth-hoba/ > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Good stuff! Couple of comments. > > > > = Logging out = > > > > The intro says > > > > "Logout features can be useful for UAs, so HOBA defines a way to > > close a current HTTP "session", and also a way to close all > > current sessions, even if more than one session is currently > > active from different UAs for the same account." > > > > But the method specified in 6.3 seems to only accomplish the first of > > these (assuming the recommendation about server deletion of cookies > > related to "the session" is meant to be specific to one session). What is > > the method for logging out of all sessions associated with different UAs > > for the same account? > > Oops that's a relic, good catch. Deleted from "...and also a way" to > the end. My code doesn't have that anymore, I didn't check other > folks. We could always add it back later if needed, it'd just be one > more .well-knonw/hoba thing. (And in case you ask, sorry but I forget > when/why we dropped that or if it was because it didn't work or out > of laziness or someone's objection:-) > > > > > = Section 6.1 = > > > > Either the device identifier/device identifier type bits are > > underspecified, or it's not clear to me how they are meant to be used. > > What other device identifier types are expected to be used in the future, > > such that a registry of them is necessary? To me it seems like you would > > want UAs/users to take some care with the precision of the device > > identifiers shared with servers -- e.g., "Alissa's laptop" seems like it > > could be useful and fairly safe, whereas "IMEI 013584009812219" seems > > like total overkill and a bad idea. (As an aside, it might be good to > > provide some guidance about this in the document.) The creation of the > > registry makes me wonder if more structured device identifiers of the > > IMEI-ilk are envisioned, and if so what the purpose of them is expected > > to be? > > Nobody had mentioned IMEIs but that's a very good point since most > devices have something like that it'd be bad to use. The idea of the > registry for dids was that they might be part of the registration > flow that a site used (hence not specified here), so e.g. account > creation for phones might differ from that for tablets or laptops. > (And no, I don't think we yet know enough to do a good job on defining > those right now, so how to use this well would be a part of the > experiment I figure. And now I'm hoping we don't get asked to say > all that in the draft;-) > > I added text about possible privacy issue in both 8.1 and 9.5. > > 8.1, NEW: > > Device identifiers are intended to specify classes of device in a way > that can assist with registration and with presentation to the user > of information about previous sessions, e.g. last login time. > > Device identifier types MUST NOT be privacy sensitive, with values > that would allow tracking a user in unexpected ways. In particular, > using an device identifier type that is analogous to the > International Mobile Equipment Identifier (IMEI) would be a really > bad idea and is the reason for the MUST NOT above. In that case > "mobile phone" could be an acceptable choice. > > If possible, implementations ought encourage use of device identifier > values that are not personally identifying except for the user > concerned, for example "Alice's mobile" is likely to be chosen and is > somewhat identifying but "Alice's phone: UUID 1234-5567-89abc-def0" > would be a very bad choice. > > 9.5, NEW: > > The designated expert for this registry is to carefully pay attention > to the notes on this field in Section 8.1, in particular the "MUST > NOT" stated therein. > > Happy to wordsmith that some more and we probably will want to. > > (Isn't it interesting how even those of us who care about this kind of > thing can miss it entirely;-) > > > > > Also, I would suggest > > > > s/if absent then the "string" form of device identifier MUST be used./if > > absent then the "string" form of device identifier defined in Section 9.5 > > MUST be used. > > Sure > > > > > = Section 8 = > > > > "Binding my CPK with someone else's account would be fun and > > profitable so SHOULD be appropriately hard." > > > > Sarcasm translates pretty poorly across cultures. I would suggest saying > > what you actually mean here. > > Wasn't meant to be sarcastic at all. I guess it is a little opaque but > surely the threat is so obvious that the "fun and profit" colloquialism > is ok. > > > > > = Section 8.2 = > > > > If you want to leave in the LinkedIn reference, or any specific example, > > it needs a citation. > > Yep, I added one to the working copy. It's wikipedia but I've wrangled > that with the RFC editor before via the wiki permanent URL feature:-) For what it's worth, I like using a reference for this. Thank you, Alissa, for making the suggestion, and thank you, Stephen, for making the change. I understand the point about the LinkedIn example being a Big Hairy Deal, so pointing to it sounds like a plan. I wonder if it's more effective to say "this happens all the time" in the text, which I understand to be the case, with the reference being to LinkedIn. I'm no security maven, but when I was reading recently about Sony's wizard security practices, I thought to myself, "I'd never do anything that dumb", and kind of stopped there. I wonder if that's more likely if the text calls out any single company. Spencer, who may still be too nice to be an AD ... > Cheers, > S. > > > > > > >
- [http-auth] Alissa Cooper's No Objection on draft… Alissa Cooper
- Re: [http-auth] Alissa Cooper's No Objection on d… Stephen Farrell
- Re: [http-auth] Alissa Cooper's No Objection on d… Kathleen Moriarty
- Re: [http-auth] Alissa Cooper's No Objection on d… Spencer Dawkins at IETF
- Re: [http-auth] Alissa Cooper's No Objection on d… Kathleen Moriarty
- Re: [http-auth] Alissa Cooper's No Objection on d… Stephen Farrell
- Re: [http-auth] Alissa Cooper's No Objection on d… Spencer Dawkins at IETF
- Re: [http-auth] Alissa Cooper's No Objection on d… Martin J. Dürst
- Re: [http-auth] Alissa Cooper's No Objection on d… Alissa Cooper