Re: [http-auth] Terry Manderson's No Objection on draft-ietf-httpauth-mutual-10: (with COMMENT)

大岩寛 <> Wed, 02 November 2016 08:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 74872129453; Wed, 2 Nov 2016 01:41:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fji_lAlRoHeN; Wed, 2 Nov 2016 01:41:20 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 354DE129420; Wed, 2 Nov 2016 01:41:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=eTGg3HqJEmuFimE/F/X+iIeQtgNardKbzBYqXSKmUgQ=; b=LNiQQ/2C0Dp1yJV2Q9gTXAmlYF6KGzC/wAOHjNCFBq40Ac/U7xdy/zDN3h7PYZTL9E3+FPivmnWwWZ+plreQQ8HO1eGpU+23CFVuqtJNkZ7JH7VWWk4EvkOTIY8y9Rz+3404yM2mjH3RMGDBIfHPyYkvio9+cHz1oTz71QJ2+ns=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.693.12; Wed, 2 Nov 2016 08:41:17 +0000
Received: from ([]) by ([]) with mapi id 15.01.0693.009; Wed, 2 Nov 2016 08:41:17 +0000
From: 大岩寛 <>
To: Terry Manderson <>, The IESG <>
Thread-Topic: Terry Manderson's No Objection on draft-ietf-httpauth-mutual-10: (with COMMENT)
Thread-Index: AQHSNJu5xGpJ15g3s0WN1353MighAKDFX2hw
Date: Wed, 02 Nov 2016 08:41:16 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 8edd825c-45af-4c4a-4a78-08d402fc02f9
x-microsoft-exchange-diagnostics: 1; TY1PR01MB0586; 7:BF3H/fIF8RboTWYrmltlaR/q3gjSHVtJt180z/Bac2K6Xwh2BqkqF1fVQjbKNRCjlyOML5QmsnHW2MQTY0Ql5d2u1+fud7LWTQ1Xv63C802hWIGymgsQfznw475etHoawBqlWP5kOR+HuiNGiuRbfmpDcWk9tlATC3f7hJBjmIgF+C5jZi8W6DaqwDnPdrG5p3e1PzAbItbOKVJb4wQSzJ35Y5ck2u775yZyKRH5V0hJkC++Az4+/dHDI0Pfizu1nXzELFgLPnFGj8NY4EB3vonUBHYc98LNxf70uFsVn3sUV/IzxL3R0oSMiCmLS3zAXwGC7GZN405NLTjn4jXfICwLze2VKQ52xDs8KbQbJZo=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:TY1PR01MB0586;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026); SRVR:TY1PR01MB0586; BCL:0; PCL:0; RULEID:; SRVR:TY1PR01MB0586;
x-forefront-prvs: 0114FF88F6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(189002)(45984002)(15594002)(199003)(122556002)(9686002)(345774005)(105586002)(10400500002)(66066001)(81156014)(86362001)(81166006)(106116001)(7736002)(5002640100001)(106356001)(74316002)(7696004)(19580405001)(8936002)(305945005)(68736007)(76576001)(2906002)(2950100002)(42882006)(77096005)(7846002)(97736004)(3660700001)(8676002)(5001770100001)(230783001)(54356999)(101416001)(92566002)(5660300001)(33656002)(551544002)(4326007)(2900100001)(87936001)(3280700002)(74482002)(11100500001)(189998001)(102836003)(6116002)(3846002)(76176999)(50986999)(19580395003)(586003)(85182001); DIR:OUT; SFP:1101; SCL:1; SRVR:TY1PR01MB0586;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2016 08:41:16.9927 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 18a7fec8-652f-409b-8369-272d9ce80620
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY1PR01MB0586
Archived-At: <>
Cc: "" <>, "" <>, "" <>
Subject: Re: [http-auth] Terry Manderson's No Objection on draft-ietf-httpauth-mutual-10: (with COMMENT)
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: HTTP authentication methods <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Nov 2016 08:41:22 -0000

Dear Terry, thank you very much.

> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> Thanks for writing a very detailed document.
> A few minor comments.
> 1) Please review the introduction, there are several grammatical errors in
> there. Meaning still came through just fine, but they were a little distracting.

We'll do it.

> 2) The state machine diagram of the client is quite complex. A candidate for
> the new RFC format?

Maybe :-)  I have picture-based (HTML/PDF) versions, too.

> 3) I agree with Alvaro's comment on the IPR. Thank you for making it royalty
> free, however not sure you need to add the text in the RFC.

Thank you very much for the suggestion.

> 4) This to me seems as it is essentially a shared secret construct, one sentence
> from RFC 2361 (security considerations) seems applicable here.
> "All the security in this system is provided by the secrecy of the private keying
> material." If this the case, please provide ample warning that (as one would
> expect) loss of the password from either the client or the server results in
> a complete compromise.

We already put some analysis on those, but we'll make it more prominent.
More precisely, loss from the client is really critical (even with a strong password);
Loss from the server is only severe when the password is weak for dictionary attacks.

Yutaka OIWA, Ph.D.       Leader, Cyber Physical Architecture Research Group
                                  Information Technology Research Institute
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <>, <>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]