IETF Logo Mail Archive

Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)

Barry Leiba <Barry.Leiba@huawei.com> Tue, 06 January 2015 14:05 UTC

Return-Path: <Barry.Leiba@huawei.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F103D1A6F20; Tue, 6 Jan 2015 06:05:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ruZfS41Q0tCs; Tue, 6 Jan 2015 06:05:39 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B0131A6F22; Tue, 6 Jan 2015 06:05:36 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml406-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BQY17272; Tue, 06 Jan 2015 14:05:35 +0000 (GMT)
Received: from DFWEML701-CHM.china.huawei.com (10.193.5.50) by lhreml406-hub.china.huawei.com (10.201.5.243) with Microsoft SMTP Server (TLS) id 14.3.158.1; Tue, 6 Jan 2015 14:05:33 +0000
Received: from DFWEML704-CHM.china.huawei.com ([10.193.5.141]) by dfweml701-chm ([10.193.5.50]) with mapi id 14.03.0158.001; Tue, 6 Jan 2015 06:05:29 -0800
From: Barry Leiba <Barry.Leiba@huawei.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Barry Leiba <barryleiba@computer.org>
Thread-Topic: Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
Thread-Index: AQHQKTq4azhftYB1T02YBf9CB3xeW5yyRHMAgACpSoCAAAm8AIAAZ74A///AnxA=
Date: Tue, 06 Jan 2015 14:05:29 +0000
Message-ID: <9C2AA051DD3C464F8ADEE38AEE6C26AD18C9E90C@dfweml704-chm>
References: <20150105174855.11968.51931.idtracker@ietfa.amsl.com> <54AAE9C7.8010105@cs.tcd.ie> <CALaySJ+j2u3_amk-BSjDgRvoGKFjsqn8k1Lm8pN0dW5dCXck3g@mail.gmail.com> <9C2AA051DD3C464F8ADEE38AEE6C26AD18C9E7BA@dfweml704-chm> <54AB4FFF.4040402@cs.tcd.ie> <CALaySJ+QY12hbrn0SkzwCakcBR3mqSD7XkHAQEspogafVq1_-g@mail.gmail.com> <54ABAF30.8040207@cs.tcd.ie>
In-Reply-To: <54ABAF30.8040207@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.212.246.168]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/3P-9vJC8pK0rOGe1lduleh1D9Ik
X-Mailman-Approved-At: Tue, 06 Jan 2015 06:18:13 -0800
Cc: "draft-ietf-httpauth-hoba.all@tools.ietf.org" <draft-ietf-httpauth-hoba.all@tools.ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "httpauth-chairs@tools.ietf.org" <httpauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jan 2015 14:07:23 -0000

>> This document would benefit from some section somewhere giving a set 
>> of clear, numbered steps, saying who sends, who receives, and who does 
>> what with what input at each step.  I will propose such text.
>
> And I'll happily look at that when it's available. (And hope to not have
> to wait much:-)

And here we go; not a lot, but I think it really helps.  Of course, adjust it if I got anything wrong or worded inaccurately.  Note how the section references jump around -- that's why I found it hard to follow, and why I think this is a big help.  I'm suggesting making this Section 1.3 because I think having it up front makes it the most useful.

-------------------------------------
1.3 An Overview of HOBA-http Authentication

HOBA authentication uses the HTTP authentication framework defined in 
[RFC7235], using a number of HOBA-specific elements.  This is a high-level 
overview of HOBA-http authentication:

1. If the user is not already registered with the web-origin and realm it is 
trying to access, the "joining" process is invoked (see Section 6.1).  This 
creates a key pair and makes the CPK known to the server.

2. The client connects to the server and makes a request, and the server's 
response includes a WWW-Authenticate header field that contains the "HOBA" 
auth-scheme, along with associated parameters (see Section 3).

3. The client uses the challenge from the HOBA auth-scheme parameters, along 
with other information it knows about the web-origin and realm, to create 
and sign a HOBA-TBS string (see Section 2).

4. The client creates a HOBA client-result (HOBA-RES), using the signed 
HOBA-TBS for the "sig" value (see Section 2).

5. The client includes the Authorization header field in its next request, 
using the "HOBA" auth-scheme and putting the HOBA client-result in an 
auth-param named "result" (see Section 3).

6. The server authenticates the HOBA client-result (see Section 5.3).

7. Typically, the server's response includes a session cookie that allows 
the client to indicate its authentication state in future requests (see 
Section 1.1).

[You might include an example here, as Julian suggests.  Or perhaps you might put an example in an appendix, and just cite it here.]

-------------------------------------

Please let me know what you think.

Barry

v2.23.0 | Report a Bug | By Email