Re: [http-auth] Alexey Melnikov's Discuss on draft-ietf-httpauth-mutual-10: (with DISCUSS and COMMENT)
大岩寛 <y.oiwa@aist.go.jp> Tue, 08 November 2016 08:56 UTC
Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 691F4129C89; Tue, 8 Nov 2016 00:56:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aist.go.jp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dyHjOIXgPrZB; Tue, 8 Nov 2016 00:56:43 -0800 (PST)
Received: from JPN01-OS2-obe.outbound.protection.outlook.com (mail-os2jpn01on0051.outbound.protection.outlook.com [104.47.92.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D350129C8B; Tue, 8 Nov 2016 00:56:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=iLUwznzU5qaFK+ccla39WFkJAMKwzeA3S2+LM2JcrVA=; b=MZ9Z8piJTVMwSD6mkCj6WrpeLxNiU/95ij7NhitkjDbmmzxi2JbNHqzl+HKLvW99Qht5I8MTCjXuTB2f7aCRWO/WK0TtTR1qnSHMV6S9FgG/DiEmrdIOG6sliKZFL82F70SQ5RlCXL5QQ/Vz1oG9ji6k4Z8OJbqlgoHp4k2p1gA=
Received: from TY1PR01MB0588.jpnprd01.prod.outlook.com (10.167.157.18) by TY1PR01MB0586.jpnprd01.prod.outlook.com (10.167.157.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.693.12; Tue, 8 Nov 2016 08:56:39 +0000
Received: from TY1PR01MB0588.jpnprd01.prod.outlook.com ([10.167.157.18]) by TY1PR01MB0588.jpnprd01.prod.outlook.com ([10.167.157.18]) with mapi id 15.01.0693.016; Tue, 8 Nov 2016 08:56:39 +0000
From: 大岩寛 <y.oiwa@aist.go.jp>
To: Alexey Melnikov <aamelnikov@fastmail.fm>, The IESG <iesg@ietf.org>
Thread-Topic: Alexey Melnikov's Discuss on draft-ietf-httpauth-mutual-10: (with DISCUSS and COMMENT)
Thread-Index: AQHSNcrlDn92ybNtU0qJdkTyqetj76DOy4uQ
Date: Tue, 08 Nov 2016 08:56:38 +0000
Message-ID: <TY1PR01MB05881AE6CEA9593FF8D2B2DFA0A60@TY1PR01MB0588.jpnprd01.prod.outlook.com>
References: <147817486515.22851.10839561696168688036.idtracker@ietfa.amsl.com>
In-Reply-To: <147817486515.22851.10839561696168688036.idtracker@ietfa.amsl.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=y.oiwa@aist.go.jp;
x-originating-ip: [150.29.149.249]
x-ms-office365-filtering-correlation-id: 3be89c08-df05-4ffe-0e64-08d407b52714
x-microsoft-exchange-diagnostics: 1; TY1PR01MB0586; 7:OzeyD0wycUsM+m0Cp2IBHFdzL8P38ZwxZfiVL6wV8Tq+iw8VlyDFzYQHJkarbCrkIRPuFT373TWe0t672M+uwpZo68/BeegotphH9ex1MzfxZienQb6QBJIEl7hKeV/6h8UOuNd1o9/RMtjXtRKzO9gKdikNbJr45Rx+L79uv4NneHacryt+kBdnrPhUToD8aGNxwL1/5bVQWF8CJ+VDclZPpZKqGBWVXItWjnaLanniWZyZMBQ2TY9nWQY5vH4NprmfhNwYpPBmYVorD68QeyJdcVqQg4DNk8Chk8sXK/SUCXq6FzYEuBuRpr4eFV05faXO+w5zurZOYHv/jRxIMJ7wu3KOvQzHPv+vLQJdxrk=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:TY1PR01MB0586;
x-microsoft-antispam-prvs: <TY1PR01MB0586E4EA73075387D02DE462A0A60@TY1PR01MB0586.jpnprd01.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026); SRVR:TY1PR01MB0586; BCL:0; PCL:0; RULEID:; SRVR:TY1PR01MB0586;
x-forefront-prvs: 01208B1E18
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(189002)(199003)(2950100002)(33656002)(8936002)(8666005)(42882006)(5660300001)(7846002)(9686002)(105586002)(8676002)(87936001)(3280700002)(66066001)(5001770100001)(189998001)(106356001)(106116001)(345774005)(68736007)(3660700001)(81156014)(81166006)(122556002)(101416001)(54356999)(50986999)(86362001)(76576001)(74316002)(85182001)(586003)(102836003)(230783001)(6116002)(2906002)(3846002)(2900100001)(92566002)(4326007)(77096005)(74482002)(305945005)(7736002)(7696004)(97736004)(76176999)(7059030); DIR:OUT; SFP:1101; SCL:1; SRVR:TY1PR01MB0586; H:TY1PR01MB0588.jpnprd01.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: aist.go.jp does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: aist.go.jp
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Nov 2016 08:56:39.0171 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 18a7fec8-652f-409b-8369-272d9ce80620
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY1PR01MB0586
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/3hCd2rksxGh-opERgwL7hL420o8>
Cc: "http-auth@ietf.org" <http-auth@ietf.org>, "draft-ietf-httpauth-mutual@ietf.org" <draft-ietf-httpauth-mutual@ietf.org>, "httpauth-chairs@ietf.org" <httpauth-chairs@ietf.org>
Subject: Re: [http-auth] Alexey Melnikov's Discuss on draft-ietf-httpauth-mutual-10: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2016 08:56:45 -0000
Dear Alexey: Thank you for really valuable comments. > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > This is generally a well written document. I have a couple of important comments > that I would like to see addressed and several less significant comments. > > 1) As Mirja pointed out, this spec needs need to register "Mutual" HTTP > Authentication Schemes with IANA Yes, we'll do it. > 2) In Section 7: > > If HTTP is used on a non-encrypted channel (TCP and SCTP, for > example), the validation type MUST be "host". If HTTP/TLS [RFC2818] > (HTTPS) is used with a server certificate, the validation type MUST > be "tls-server-end-point". If HTTP/TLS is used with an anonymous > Diffie-Hellman key exchange, the validation type MUST be "tls-unique" > (see the note below). > > Implementations supporting Mutual authentication over HTTPS SHOULD > support the "tls-server-end-point" validation. Support for > "tls-unique" validation is OPTIONAL for both servers and clients. > > I think the two paragraphs are in conflict. For example, the first one says > that if TLS with server certificate is used, then "tls-server-end-point" > MUST be supported. But the second says that it is SHOULD be supported. > > If the intent of the first paragraph is to say what should appear syntactically, > while the second paragraph explains what kind of validation is actually > required, I think this still can be made clearer. > > I suggest you either delete the second of these 2 paragraphs, or you need to > reword text in the first (and possibly the second) to specify a non conflicting > set of requirements. We'll clarify it by replacing the second sentence by a text suggesting tls-unique is not likely to be required to implement, in most cases. > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- Thank you for many improvement suggestions. For so many suggestions replacing SHOULD with MUST, most of these seem to be correct. We'll review all of these again to make a final decision. > 3.2.2. Strings > > All character strings MUST be encoded to octet strings using the > UTF-8 encoding [RFC3629] for the ISO 10646-1 character set > [ISO.10646-1.1993]. > > This is the same as Unicode 1.1. Unicode now released version 9.0! I suggest > you use a Unicode reference. We'll do it. > The numbers represented as base64-fixed-number SHALL be generated as > follows: first, the number is converted to a big-endian radix-256 > binary representation as an octet string. The length of the > representation is determined in the same way as mentioned above. > Then, the string is encoded using the Base 64 encoding [RFC4648] > > I assume you meant Section 4 alphabet and not Section 5 alphabet from this RFC. > Please add section reference to the above. Good point to clarify it's a BASE64, not a filesystem-safe variant. Thank you. > When the client is a Web browser with any scripting capabilities, the > > Can you explain why scripting capabilities are important here? I'll add some notice about security concern here. The second paragraph describes possible use of mutual user authentication as a replacement for host identity verification. > In Section 9: > > In both cases, it is the sender's duty to correctly prepare the > character strings. If any non-normalized character string is > received from the other peer of the communication, recipients MAY > either use it as a bare UTF-8 string without any preparation, perform > any appropriate preparations (which may cause authentication > failure), or reject any ill-prepared inputs from the sender and > respond as a communication error. > > I think you are giving too many choices which might cause interoperability > issues. > Even reducing the choices from 3 to 2 would help here. OK. The point is that the "recipient" has freedom there: it MAY accept and it MAY reject. > In Section 15: > > It would be good to be able to bind extension data to shared secret constructed > by both parties. > -- Yutaka OIWA, Ph.D. Leader, Cyber Physical Architecture Research Group Information Technology Research Institute National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
- [http-auth] Alexey Melnikov's Discuss on draft-ie… Alexey Melnikov
- Re: [http-auth] Alexey Melnikov's Discuss on draf… Kathleen Moriarty
- Re: [http-auth] Alexey Melnikov's Discuss on draf… 大岩寛
- Re: [http-auth] Alexey Melnikov's Discuss on draf… Yutaka OIWA
- Re: [http-auth] Alexey Melnikov's Discuss on draf… kathleen.moriarty.ietf
- Re: [http-auth] Alexey Melnikov's Discuss on draf… Kathleen Moriarty