IETF Logo Mail Archive

[http-auth] Session continuation and authentication

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Thu, 16 May 2013 20:52 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F21A11E8162 for <http-auth@ietfa.amsl.com>; Thu, 16 May 2013 13:52:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DZf31HCSLmKY for <http-auth@ietfa.amsl.com>; Thu, 16 May 2013 13:52:27 -0700 (PDT)
Received: from emh03.mail.saunalahti.fi (emh03.mail.saunalahti.fi [62.142.5.109]) by ietfa.amsl.com (Postfix) with ESMTP id 61BD611E815E for <http-auth@ietf.org>; Thu, 16 May 2013 13:52:27 -0700 (PDT)
Received: from saunalahti-vams (vs3-11.mail.saunalahti.fi [62.142.5.95]) by emh03.mail.saunalahti.fi (Postfix) with SMTP id 7E57018893C; Thu, 16 May 2013 23:52:25 +0300 (EEST)
Received: from emh03.mail.saunalahti.fi ([62.142.5.109]) by vs3-11.mail.saunalahti.fi ([62.142.5.95]) with SMTP (gateway) id A01AE87BAB8; Thu, 16 May 2013 23:52:25 +0300
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id 6C0F418893C; Thu, 16 May 2013 23:52:25 +0300 (EEST)
Date: Thu, 16 May 2013 23:52:24 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Phillip Hallam-Baker <hallam@gmail.com>
Message-ID: <20130516205224.GA14412@LK-Perkele-VII>
References: <518D3C8B.3080807@digitalbazaar.com> <255B9BB34FB7D647A506DC292726F6E1150D5134B8@WSMSG3153V.srv.dir.telstra.com> <31478_1368464556_r4DH2YHq000867_CAD4=_i4cCvYccigAR1eTaNRhLOWciPHfGO2OG+ahZEaouqhFow@mail.gmail.com> <51911E5A.1000309@andrew.cmu.edu> <CAMm+Lwj2wwPearLn86D6apdO2FQOkBcPgfb9Xtq1EfdhE=3ibA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAMm+Lwj2wwPearLn86D6apdO2FQOkBcPgfb9Xtq1EfdhE=3ibA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
X-Antivirus: VAMS
Cc: HTTP Auth WG <http-auth@ietf.org>
Subject: [http-auth] Session continuation and authentication
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2013 20:52:32 -0000

On Thu, May 16, 2013 at 09:57:11AM -0400, Phillip Hallam-Baker wrote:
> HTTP Session Continuation is a separate spec but I would like to share as
> much as possible between them.
> 
> http://www.ietf.org/id/draft-hallambaker-httpsession-01.txt
 
Regarding session continuation, since many of the proposed authentication
schemes don't seem to have multi-request authentication, should there be
some mechanism to couple authentication into session?

Obviously, how to derive shared secret from authentication is method-
specific, and some methods (e.g. mutual) can yield stronger secrets than
others (e.g. SCRAM), and some can't yield one at all (e.g. Basic).

I note that HOBA spec calls to use cookies (blech). I haven't yet figured
out how mutual deals with concept of "session".

Oh, and I don't think "Just use TLS" really cuts it...

-Ilari

v2.23.0 | Report a Bug | By Email