Re: [http-auth] Terry Manderson's No Objection on draft-ietf-httpauth-mutual-10: (with COMMENT)

大岩寛 <y.oiwa@aist.go.jp> Wed, 02 November 2016 08:41 UTC

Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74872129453; Wed, 2 Nov 2016 01:41:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aist.go.jp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fji_lAlRoHeN; Wed, 2 Nov 2016 01:41:20 -0700 (PDT)
Received: from JPN01-TY1-obe.outbound.protection.outlook.com (mail-ty1jpn01on0063.outbound.protection.outlook.com [104.47.93.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 354DE129420; Wed, 2 Nov 2016 01:41:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=eTGg3HqJEmuFimE/F/X+iIeQtgNardKbzBYqXSKmUgQ=; b=LNiQQ/2C0Dp1yJV2Q9gTXAmlYF6KGzC/wAOHjNCFBq40Ac/U7xdy/zDN3h7PYZTL9E3+FPivmnWwWZ+plreQQ8HO1eGpU+23CFVuqtJNkZ7JH7VWWk4EvkOTIY8y9Rz+3404yM2mjH3RMGDBIfHPyYkvio9+cHz1oTz71QJ2+ns=
Received: from TY1PR01MB0588.jpnprd01.prod.outlook.com (10.167.157.18) by TY1PR01MB0586.jpnprd01.prod.outlook.com (10.167.157.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.693.12; Wed, 2 Nov 2016 08:41:17 +0000
Received: from TY1PR01MB0588.jpnprd01.prod.outlook.com ([10.167.157.18]) by TY1PR01MB0588.jpnprd01.prod.outlook.com ([10.167.157.18]) with mapi id 15.01.0693.009; Wed, 2 Nov 2016 08:41:17 +0000
From: =?utf-8?B?5aSn5bKp5a+b?= <y.oiwa@aist.go.jp>
To: Terry Manderson <terry.manderson@icann.org>, The IESG <iesg@ietf.org>
Thread-Topic: Terry Manderson's No Objection on draft-ietf-httpauth-mutual-10: (with COMMENT)
Thread-Index: AQHSNJu5xGpJ15g3s0WN1353MighAKDFX2hw
Date: Wed, 2 Nov 2016 08:41:16 +0000
Message-ID: <TY1PR01MB0588090C2DE9F666E31CE1C9A0A00@TY1PR01MB0588.jpnprd01.prod.outlook.com>
References: <147804465351.23964.4743241573285672461.idtracker@ietfa.amsl.com>
In-Reply-To: <147804465351.23964.4743241573285672461.idtracker@ietfa.amsl.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=y.oiwa@aist.go.jp;
x-originating-ip: [150.29.149.29]
x-ms-office365-filtering-correlation-id: 8edd825c-45af-4c4a-4a78-08d402fc02f9
x-microsoft-exchange-diagnostics: 1; TY1PR01MB0586; 7:BF3H/fIF8RboTWYrmltlaR/q3gjSHVtJt180z/Bac2K6Xwh2BqkqF1fVQjbKNRCjlyOML5QmsnHW2MQTY0Ql5d2u1+fud7LWTQ1Xv63C802hWIGymgsQfznw475etHoawBqlWP5kOR+HuiNGiuRbfmpDcWk9tlATC3f7hJBjmIgF+C5jZi8W6DaqwDnPdrG5p3e1PzAbItbOKVJb4wQSzJ35Y5ck2u775yZyKRH5V0hJkC++Az4+/dHDI0Pfizu1nXzELFgLPnFGj8NY4EB3vonUBHYc98LNxf70uFsVn3sUV/IzxL3R0oSMiCmLS3zAXwGC7GZN405NLTjn4jXfICwLze2VKQ52xDs8KbQbJZo=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:TY1PR01MB0586;
x-microsoft-antispam-prvs: <TY1PR01MB0586FB73FC6DBB98F4F88577A0A00@TY1PR01MB0586.jpnprd01.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026); SRVR:TY1PR01MB0586; BCL:0; PCL:0; RULEID:; SRVR:TY1PR01MB0586;
x-forefront-prvs: 0114FF88F6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(189002)(45984002)(15594002)(199003)(122556002)(9686002)(345774005)(105586002)(10400500002)(66066001)(81156014)(86362001)(81166006)(106116001)(7736002)(5002640100001)(106356001)(74316002)(7696004)(19580405001)(8936002)(305945005)(68736007)(76576001)(2906002)(2950100002)(42882006)(77096005)(7846002)(97736004)(3660700001)(8676002)(5001770100001)(230783001)(54356999)(101416001)(92566002)(5660300001)(33656002)(551544002)(4326007)(2900100001)(87936001)(3280700002)(74482002)(11100500001)(189998001)(102836003)(6116002)(3846002)(76176999)(50986999)(19580395003)(586003)(85182001); DIR:OUT; SFP:1101; SCL:1; SRVR:TY1PR01MB0586; H:TY1PR01MB0588.jpnprd01.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: aist.go.jp does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: aist.go.jp
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2016 08:41:16.9927 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 18a7fec8-652f-409b-8369-272d9ce80620
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY1PR01MB0586
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/9lBORO4lZ9gmDZ3PfuEwcO118oU>
Cc: "http-auth@ietf.org" <http-auth@ietf.org>, "draft-ietf-httpauth-mutual@ietf.org" <draft-ietf-httpauth-mutual@ietf.org>, "httpauth-chairs@ietf.org" <httpauth-chairs@ietf.org>
Subject: Re: [http-auth] Terry Manderson's No Objection on draft-ietf-httpauth-mutual-10: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 08:41:22 -0000

Dear Terry, thank you very much.

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thanks for writing a very detailed document.
> 
> A few minor comments.
> 
> 1) Please review the introduction, there are several grammatical errors in
> there. Meaning still came through just fine, but they were a little distracting.

We'll do it.

> 2) The state machine diagram of the client is quite complex. A candidate for
> the new RFC format?

Maybe :-)  I have picture-based (HTML/PDF) versions, too.

> 3) I agree with Alvaro's comment on the IPR. Thank you for making it royalty
> free, however not sure you need to add the text in the RFC.

Thank you very much for the suggestion.

> 4) This to me seems as it is essentially a shared secret construct, one sentence
> from RFC 2361 (security considerations) seems applicable here.
> "All the security in this system is provided by the secrecy of the private keying
> material." If this the case, please provide ample warning that (as one would
> expect) loss of the password from either the client or the server results in
> a complete compromise.

We already put some analysis on those, but we'll make it more prominent.
More precisely, loss from the client is really critical (even with a strong password);
Loss from the server is only severe when the password is weak for dictionary attacks.


-- 
Yutaka OIWA, Ph.D.       Leader, Cyber Physical Architecture Research Group
                                  Information Technology Research Institute
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]