[http-auth] Doing it the TLS mutual way...
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 14 June 2011 21:48 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17D3C11E81D6 for <http-auth@ietfa.amsl.com>; Tue, 14 Jun 2011 14:48:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.25
X-Spam-Level:
X-Spam-Status: No, score=-106.25 tagged_above=-999 required=5 tests=[AWL=0.349, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8uFCtJvX0Pgc for <http-auth@ietfa.amsl.com>; Tue, 14 Jun 2011 14:48:50 -0700 (PDT)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [134.226.32.56]) by ietfa.amsl.com (Postfix) with ESMTP id B2CC111E81A2 for <http-auth@ietf.org>; Tue, 14 Jun 2011 14:48:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id A241915356D for <http-auth@ietf.org>; Tue, 14 Jun 2011 22:48:26 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:subject:mime-version :user-agent:from:date:message-id:received:received: x-virus-scanned; s=cs; t=1308088106; bh=yX1wVvyfIbp3mSvYbkQPdlwS 4aNPfWIQluAf8Jo3l5w=; b=AACoKnJnGnLS7TFWgyEP5ju6akQUSEDE6AfKGB7z 2irIrJX3PFxfqssk/ex70yUAf+qcWPfq2smpVaLoq7SKWuKQhuWpFMk0ZIAm5TYP p+y8T6iWWm6pMvkHAqHTO5y/WaS7UHcQ4BAnFNA4sKM4EL3vXZxf+99I3gXtfiGC OA6jG8V7hW0rTfSVtfuwKMdzY8dd+tmMpWyrqdp3tCgimf/UxlcpdgjMFxsBjKHe 6CtjUtIcz2s1d2PpbeqQoENXqbQsrMXBtaMDY/VeFqpo7gWy9OUgHeq9rPJiQOC4 0qqAPSQdUAb91TXCmOYENTKLvGPaA81mfxzvTJwzEG9JHg==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id dlpvM73Sckce for <http-auth@ietf.org>; Tue, 14 Jun 2011 22:48:26 +0100 (IST)
Received: from [10.87.48.10] (unknown [86.46.27.52]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 1EBB915356C for <http-auth@ietf.org>; Tue, 14 Jun 2011 22:48:16 +0100 (IST)
Message-ID: <4DF7D71B.2070004@cs.tcd.ie>
Date: Tue, 14 Jun 2011 22:48:11 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: "http-auth@ietf.org" <http-auth@ietf.org>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [http-auth] Doing it the TLS mutual way...
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2011 21:48:51 -0000
Ok, here's my idea to throw on the pile. I'm not making a claim that it's perfect, or even better than whatever - the right thing here will be what's technically a sufficient improvement and that gets deployed - but nonetheless, I think this could work if it got traction, though of course its really only a strawman at this point. As it says below, Russ pointed out that this is quite like what the enroll WG tried to do a while back, so I'm clearly not suggesting something novel here either. Anyway if this isn't DoA, then I'd welcome someone else with the time and interest helping to turn it into an I-D with a bit more detail. And of course, this is just done as an individual, (a phrase I hate adding but seemingly necessary sometimes;-) S. A HTTP authentication scheme for public TLS mutual authentication ----------------------------------------------------------------- 2011-06-14a, stephen.farrell@cs.tcd.ie The Problem ----------- - TLS mutual authentication is too hard to deploy on the public Internet. - Password based authentication schemes leave server side databases vulnerable. - EKE/PAKE schemes may help but may require the verifier to store a database of values that are dictionary attackable and these schemes do require a password to be sent to the server at least at account creation and reset time. The Approach ------------ Try to use as much as possible of what we have now (TLS mutual authentication) and just make it more usable. Define a new HTTP authentication scheme that means: I'm going to ask you to do TLS mutual authentication in a moment. If you don't have a key pair for this <<service>> already, then go <<here>> for account creation during which you need to generate a key pair and send me the self-signed cert (SSC) with <<service>> as the issuer and subject name and containing your <<service>>-specific public key. Your <<account>> identifier needs to be in a subjecAltName within that SSC. That can all happen in a couple of roundtrips with no human intervention or complex processing if all that's needed is to ensure key continuity (e.g. setting up some don't care account somewhere). Including key generation, that should be quicker and easier than typing even a well-worn password. If some higher level of assurance of the identifers used is needed, then initial signup might need to be following by validation of various identifiers, for example via a mail round-trip to validate that the client does have access to a particular email account. However, that is out of scope of this scheme and if needed should be handled via some form of workflow for account creation - this scheme is just one step in such a workflow. If you've signed up already then you should have a key pair for this <<service>> so when the server does a STARTTLS equivalent it'll ask for a client cert issued by <<service>> and you can use the SSC you generated earlier. If you want to access your account from another browser then you must first access <<thisplace>> from the first browser. At that point you will be shown a short-lived <<secret>> value. You must then go through the signup process from the new browser as usual but also including the <<secret>> value in order for us to securely accept that the new SSC also binds to the same <<account>>. If you loose the private key or other state (e.g. SSC) from one browser environment, then so long as you have some other working browser you can re-associate your account with a new SSC from the (probably re-installed) browser that lost state in the normal way - this is just like adding a second browser. If you loose all private keys then you will have to contact support who will handle your account reset manually. The Details ----------- ...are almost all TBD. But this should be doable. Some initial notes below. This probably has to be done after initial server-authenticated TLS to preserve privacy of the account identifier. (With some more signup-time complexity, the server could give the client a secret to use to encrypt the account identifier. Not sure if that'd be worth it.) The server needs to add support for the new scheme and keep a database of public keys (or hashes) and account identifiers, or just SSCs. Servers would need an application layer add-on for account signup and for binding additional SSCs to accounts. TLS is unmodified. Server-side TLS accelerators would need to be modified slightly to play the protocol and pass on the account information in some form usable by current applications. There is no revocation. SSC "validity" should be long term and ignored on the TLS server. General HTTP proxies should not be affected. Browsers would need most change to add the signup logic and the new HTTP authentication scheme. There would need to be some chrome as well. The secret for binding a 2nd SSC to an account could be embedded in a URI which may help usability in some cases. Need to consider how to make sure this doesn't get in the way of existing enterprise TLS mutual auth uses. Need to consider a migration scheme for accounts with existing passwords. The service name could, but need not, be the service URL. Any string chosen by the server deployer should work. Need to check out what enroll did and why that didn't work. Acks ---- Russ Housley pointed out the enroll similarity and the issue of additional assurance of identifiers, e.g. via a mail round-trip.
- [http-auth] Doing it the TLS mutual way... Stephen Farrell
- Re: [http-auth] Doing it the TLS mutual way... Nico Williams
- Re: [http-auth] Doing it the TLS mutual way... Stephen Farrell
- Re: [http-auth] Doing it the TLS mutual way... Nico Williams