IETF Logo Mail Archive

Re: [http-auth] Alissa Cooper's No Objection on draft-ietf-httpauth-hoba-09: (with COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 08 January 2015 00:58 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E62CF1A879F; Wed, 7 Jan 2015 16:58:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.009
X-Spam-Level:
X-Spam-Status: No, score=-0.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kxmjIkmzWEBi; Wed, 7 Jan 2015 16:58:54 -0800 (PST)
Received: from mail-qg0-x232.google.com (mail-qg0-x232.google.com [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A67D1A87A0; Wed, 7 Jan 2015 16:58:54 -0800 (PST)
Received: by mail-qg0-f50.google.com with SMTP id z60so120228qgd.9; Wed, 07 Jan 2015 16:58:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=BF8orOrxg/LQPvFWauKY9/250//EjWXYTvisiq/6yJE=; b=pPPSxYH3WaqjuX0uSxyTMukK5PZev2VPsfZikVPhipy/6nLs1VoQtndPi4x8Y82JAC mfrwFH890O+jS9EpDCzyGlqwDS5P7IiZnRl4Pb/8jkCISlD8yDuXyc2/z7s+Sb4IKjEs B3IPRBFCoaRqGED5GzCrpys+rvgQMVDNARkysxXCWDZo1ybCma8kh1eSGvh+vtKth3Tr 4XerKTLrdgHO8ykizBZCqMMYwTRUi6ZreLMxIxAPFF2bNhrXcvj811saO6cGz3j+/B1d tXOkS80w/t93dkD9nV4Q9NEKeRkgBYhkWlzXEwOKgialATXpXh5y265S+O2NSI0fX8/N 2B0A==
X-Received: by 10.140.21.80 with SMTP id 74mr9465177qgk.87.1420678733649; Wed, 07 Jan 2015 16:58:53 -0800 (PST)
Received: from [192.168.1.3] (209-6-114-252.c3-0.arl-ubr1.sbo-arl.ma.cable.rcn.com. [209.6.114.252]) by mx.google.com with ESMTPSA id s2sm2637577qam.45.2015.01.07.16.58.51 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 07 Jan 2015 16:58:52 -0800 (PST)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Google-Original-From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-0BD6E011-401B-413C-9312-613A3708016C"
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (11D257)
In-Reply-To: <CAKKJt-fRX=upmtEAW5s1bFs0=zK0BV1JvWnkqkPKQFxR0kHW2g@mail.gmail.com>
Date: Wed, 07 Jan 2015 19:58:53 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <A71C21BC-39BA-47B8-87FD-3BDF5ADE4F5D@gmail.com>
References: <20150107222027.18377.83227.idtracker@ietfa.amsl.com> <54ADBD79.4090201@cs.tcd.ie> <CAKKJt-fRX=upmtEAW5s1bFs0=zK0BV1JvWnkqkPKQFxR0kHW2g@mail.gmail.com>
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/5KBB7cQUoottSuon3ZFF-ATA3pQ
Cc: "httpauth-chairs@tools.ietf.org" <httpauth-chairs@tools.ietf.org>, "draft-ietf-httpauth-hoba.all@tools.ietf.org" <draft-ietf-httpauth-hoba.all@tools.ietf.org>, Alissa Cooper <alissa@cooperw.in>, "http-auth@ietf.org" <http-auth@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [http-auth] Alissa Cooper's No Objection on draft-ietf-httpauth-hoba-09: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jan 2015 00:59:00 -0000


Sent from my iPhone

> On Jan 7, 2015, at 7:39 PM, Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> wrote:
> 
> 
> On Jan 8, 2015 7:13 AM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote:
> >
> >
> >
> > Hiya,
> >
> > Two non-trivial changes here, see below, but also please check that
> > though, working copy is at [1], diff vs. -09 at [2] as usual.
> >
> >    [1] https://down.dsg.cs.tcd.ie/misc/draft-ietf-httpauth-hoba-10.txt
> >    [2]
> > https://tools.ietf.org/rfcdiff?url1=draft-ietf-httpauth-hoba-09.txt&url2=https://down.dsg.cs.tcd.ie/misc/draft-ietf-httpauth-hoba-10.txt
> >
> > On 07/01/15 22:20, Alissa Cooper wrote:
> > > Alissa Cooper has entered the following ballot position for
> > > draft-ietf-httpauth-hoba-09: No Objection
> > >
> > > When responding, please keep the subject line intact and reply to all
> > > email addresses included in the To and CC lines. (Feel free to cut this
> > > introductory paragraph, however.)
> > >
> > >
> > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> > > for more information about IESG DISCUSS and COMMENT positions.
> > >
> > >
> > > The document, along with other ballot positions, can be found here:
> > > http://datatracker.ietf.org/doc/draft-ietf-httpauth-hoba/
> > >
> > >
> > >
> > > ----------------------------------------------------------------------
> > > COMMENT:
> > > ----------------------------------------------------------------------
> > >
> > > Good stuff! Couple of comments.
> > >
> > > = Logging out =
> > >
> > > The intro says
> > >
> > > "Logout features can be useful for UAs, so HOBA defines a way to
> > >       close a current HTTP "session", and also a way to close all
> > >       current sessions, even if more than one session is currently
> > >       active from different UAs for the same account."
> > >
> > > But the method specified in 6.3 seems to only accomplish the first of
> > > these (assuming the recommendation about server deletion of cookies
> > > related to "the session" is meant to be specific to one session). What is
> > > the method for logging out of all sessions associated with different UAs
> > > for the same account?
> >
> > Oops that's a relic, good catch. Deleted from "...and also a way" to
> > the end. My code doesn't have that anymore, I didn't check other
> > folks. We could always add it back later if needed, it'd just be one
> > more .well-knonw/hoba thing. (And in case you ask, sorry but I forget
> > when/why we dropped that or if it was because it didn't work or out
> > of laziness or someone's objection:-)
> >
> > >
> > > = Section 6.1 =
> > >
> > > Either the device identifier/device identifier type bits are
> > > underspecified, or it's not clear to me how they are meant to be used.
> > > What other device identifier types are expected to be used in the future,
> > > such that a registry of them is necessary? To me it seems like you would
> > > want UAs/users to take some care with the precision of the device
> > > identifiers shared with servers -- e.g., "Alissa's laptop" seems like it
> > > could be useful and fairly safe, whereas "IMEI 013584009812219" seems
> > > like total overkill and a bad idea. (As an aside, it might be good to
> > > provide some guidance about this in the document.) The creation of the
> > > registry makes me wonder if more structured device identifiers of the
> > > IMEI-ilk are envisioned, and if so what the purpose of them is expected
> > > to be?
> >
> > Nobody had mentioned IMEIs but that's a very good point since most
> > devices have something like that it'd be bad to use. The idea of the
> > registry for dids was that they might be part of the registration
> > flow that a site used (hence not specified here), so e.g. account
> > creation for phones might differ from that for tablets or laptops.
> > (And no, I don't think we yet know enough to do a good job on defining
> > those right now, so how to use this well would be a part of the
> > experiment I figure. And now I'm hoping we don't get asked to say
> > all that in the draft;-)
> >
> > I added text about possible privacy issue in both 8.1 and 9.5.
> >
> > 8.1, NEW:
> >
> >    Device identifiers are intended to specify classes of device in a way
> >    that can assist with registration and with presentation to the user
> >    of information about previous sessions, e.g.  last login time.
> >
> >    Device identifier types MUST NOT be privacy sensitive, with values
> >    that would allow tracking a user in unexpected ways.  In particular,
> >    using an device identifier type that is analogous to the
> >    International Mobile Equipment Identifier (IMEI) would be a really
> >    bad idea and is the reason for the MUST NOT above.  In that case
> >    "mobile phone" could be an acceptable choice.
> >
> >    If possible, implementations ought encourage use of device identifier
> >    values that are not personally identifying except for the user
> >    concerned, for example "Alice's mobile" is likely to be chosen and is
> >    somewhat identifying but "Alice's phone: UUID 1234-5567-89abc-def0"
> >    would be a very bad choice.
> >
> > 9.5, NEW:
> >
> >    The designated expert for this registry is to carefully pay attention
> >    to the notes on this field in Section 8.1, in particular the "MUST
> >    NOT" stated therein.
> >
> > Happy to wordsmith that some more and we probably will want to.
> >
> > (Isn't it interesting how even those of us who care about this kind of
> > thing can miss it entirely;-)
> >
> > >
> > > Also, I would suggest
> > >
> > > s/if absent then the "string" form of device identifier MUST be used./if
> > > absent then the "string" form of device identifier defined in Section 9.5
> > > MUST be used.
> >
> > Sure
> >
> > >
> > > = Section 8 =
> > >
> > > "Binding my CPK with someone else's account would be fun and
> > >    profitable so SHOULD be appropriately hard."
> > >
> > > Sarcasm translates pretty poorly across cultures. I would suggest saying
> > > what you actually mean here.
> >
> > Wasn't meant to be sarcastic at all. I guess it is a little opaque but
> > surely the threat is so obvious that the "fun and profit" colloquialism
> > is ok.
> >
> > >
> > > = Section 8.2 =
> > >
> > > If you want to leave in the LinkedIn reference, or any specific example,
> > > it needs a citation.
> >
> > Yep, I added one to the working copy. It's wikipedia but I've wrangled
> > that with the RFC editor before via the wiki permanent URL feature:-)
> 
> For what it's worth, I like using a reference for this. Thank you, Alissa, for making the suggestion, and thank you, Stephen, for making the change.
> 
> I understand the point about the LinkedIn example being a Big Hairy Deal, so pointing to it sounds like a plan.
> 
> I wonder if it's more effective to say "this happens all the time" in the text, which I understand to be the case, with the reference being to LinkedIn.
> 
> I'm no security maven, but when I was reading recently about Sony's wizard security practices, I thought to myself, "I'd never do anything that dumb", and kind of stopped there. I wonder if that's more likely if the text calls out any single company.
> 
> Spencer, who may still be too nice to be an AD ...
> 

For big attacks, the security folks tend to name the first or a big recent example of a specific attack.  When you say the LinkedIn attack, I remember that there was some crazy large (I think a million+) number of passwords stolen from at he server side.  This caused a lot of questions from friends and lots of password changes (well publicized).  In response to Barry's question on this that led to Stephen's update, I mentioned that most look at how a company responds in terms of reputation as opposed to the fact that an event occurs.  Business usually goes up as crazy as that sounds.  RSA gets mentioned when the discussion is about APTs or the trend in supply chain attacks. I hope this was helpful.

Does the new language help enough?  I think it does, but  another security person.

Thanks,
Kathleen
> > Cheers,
> > S.
> >
> >
> > >
> > >
> >

v2.23.0 | Report a Bug | By Email