IETF Logo Mail Archive

Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt

Yutaka OIWA <y.oiwa@aist.go.jp> Mon, 20 July 2015 08:32 UTC

Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AAF41A1A38 for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 01:32:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Level:
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_ABOUTYOU=0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id scF3r-mQc9Kh for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 01:32:39 -0700 (PDT)
Received: from APAC01-HK1-obe.outbound.protection.outlook.com (mail-hk1on0057.outbound.protection.outlook.com [134.170.140.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2166C1A09CF for <http-auth@ietf.org>; Mon, 20 Jul 2015 01:32:38 -0700 (PDT)
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;
Received: from [31.133.177.67] (31.133.177.67) by TY1PR01MB0207.jpnprd01.prod.outlook.com (10.161.135.142) with Microsoft SMTP Server (TLS) id 15.1.219.17; Mon, 20 Jul 2015 08:32:33 +0000
Message-ID: <55ACB208.6000208@aist.go.jp>
Date: Mon, 20 Jul 2015 17:32:08 +0900
From: Yutaka OIWA <y.oiwa@aist.go.jp>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, "http-auth@ietf.org" <http-auth@ietf.org>
References: <20150531154835.3639.52041.idtracker@ietfa.amsl.com> <CAGL6epJ=dQw9FZS7aUX3B6oLJUw-s9+ARMbrjjZ0K+283inCkg@mail.gmail.com>
In-Reply-To: <CAGL6epJ=dQw9FZS7aUX3B6oLJUw-s9+ARMbrjjZ0K+283inCkg@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [31.133.177.67]
X-ClientProxiedBy: BLUPR01CA038.prod.exchangelabs.com (25.160.23.28) To TY1PR01MB0207.jpnprd01.prod.outlook.com (25.161.135.142)
X-Microsoft-Exchange-Diagnostics: 1; TY1PR01MB0207; 2:4t9O/s/KbqOqr75dM2uc3fWfElAIOTB5VTV9fLBoL7nCsfGuzDAQWPbfQgnbsxGA; 3:4wzl3DNzfAQRGvx7nU2OIu5AASP/hPizK+JEBeE2EkUfVBrupgWmo7pfqRxln1QywmCAOenrwXSd4PvWJ/0FBqywYzCzQPxkkNqaoPhBhNo0DrS9OYNjIV4JASzpJJJHcDDaGmo39RxII1XmF/BVvw==; 25:NnxkUNZ5qlrq0/6L7cf+UtOMfcX+yEjBFOlqVx5YN1zqpAslimYV3OU0pAq5jlEOBoAuh3bNWbPhTYqZQ1qi2LOj2r0tA7kY+HJL5/rc0n82lK3c61LAx9ruXwz+yedMMBQDSWR/ax4+CBoeorW7bsN1kGVl4Uq+E1Wyx8z8AZpWpXNB4vorH7OUr6Yku7c4uhaM1bqjlkw43OvsACEkeG8m1dkvwoAZdDE1QocE5IP9pC8sIOhzGxLO7pcbagiXLrchP4EokVuslxmfudC2oQ==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:TY1PR01MB0207;
X-Microsoft-Exchange-Diagnostics: 1; TY1PR01MB0207; 20:+lDX6y+aYesz4sL4htI9ZUFSNbUYUwtsivAgfwYeOEN6iruSa613wFSZ8hg2ixUwHlfcTJrvf/JoZ/Drtao85A4WPjeDAIXJI6LSjocz/DtAJWlkyjLuCJ99R8gey0CTH83gZGSkz1VETMw9w5UzfaydZF2PIw5lSlE4rG9gzrvhiq4s6oromGxfAQNi/VIk4MOa6f3TGS85WmZiC24t/Sp1j05UNy62p10zwHHy+loEXt7/0hhhXm0ucu2kQOlwnxA7bMmoveF6CPIJ4aAzVRtAoS+Xpe1Js4oIjnMQ7ySHMPnY3KsquFtF/FiI2/gMQZyzatA/sYYXmDUcgLJxASqHLw7a57kp/YNiwAGJ5Ak19cLVU12JSOPMvzDtp5Pf9/yq8q+aay7blQjv/GAR80fqAXRhmD6HZfuRGcYf0295rWSTYnnG/X/RUebJpsVucHTfsbA696aBmgF8dtpVMGBjirPKZoytKY/t8MN5i8dwZ1paKPhtOPPqO3BCDVNX1/0ybx6JWk0defBN6xac22pJZVdjUw9TvgJlJKIZlqI7I0qbNjazrM9z4+AgYKfU7fQsUSHnqlYZhBr2KXt/nz9SP4gqUacPFF8DR1Y2GUM=; 4:tJYWJDVuk75Fzzf2DtXkgTWvaTiqGw5NJI9QZnd5UHkKgMP37NP+dZmJq8lvwBceVaUzbk2bdSD6WLD9EOPqIIdosw2XVvyJX2zCqUxSjCsR+YzawY8yGEBcyL0xr7OZgJkpVnTN/C/YjergtdH8QO4aTigyewnnA9JjqD9D72i/EF4wgMh4zzJT8tA6CycDd26n1GoH4UTzu7SaaB7PicRRBZ562Rktnr9kpDbiV7zwSpy8YqY33giOafLtP2z4hULTt4T3EHMyxUbJ4/yZqQ==
TY1PR01MB0207: X-MS-Exchange-Organization-RulesExecuted
X-Microsoft-Antispam-PRVS: <TY1PR01MB0207E0F3B535A898A674DFA4A0850@TY1PR01MB0207.jpnprd01.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(5005006)(3002001); SRVR:TY1PR01MB0207; BCL:0; PCL:0; RULEID:; SRVR:TY1PR01MB0207;
X-Forefront-PRVS: 0643BDA83C
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(6049001)(479174004)(377454003)(24454002)(2473001)(377424004)(74482002)(80316001)(4001350100001)(42186005)(59896002)(561944003)(19580405001)(33656002)(2501003)(19580395003)(64126003)(230783001)(86362001)(5001960100002)(189998001)(54356999)(92566002)(46102003)(50986999)(551544002)(23746002)(87976001)(83506001)(122386002)(87266999)(107886002)(2950100001)(15975445007)(77156002)(40100003)(77096005)(65816999)(76176999)(65956001)(65806001)(62966003)(5001920100001)(47776003)(50466002)(5001770100001)(36756003)(66066001)(7099028)(3940600001); DIR:OUT; SFP:1101; SCL:1; SRVR:TY1PR01MB0207; H:[31.133.177.67]; FPR:; SPF:None; MLV:nov; PTR:InfoNoRecords; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; TY1PR01MB0207; 23:wazjqK4ncThdhVNq2yrGQiwm5ZnORvflmalJuMosMQzMwpRh6lbxzZqOHtCJ1nYXGcNzs6ncyEo7juVf8jTLpchDj14y3iELztmTiS8IC3+tetgabsD9+LhAfnuEehjriY/dBhlXbkj60TfUjIOdN3pfW/XfhlOYf7wXiych/JDOsllcViqcrV4DWyD+ImlETguLYQ463OJI2BovRbSywyBD/ZvX1F7YljjoPKFcjVYYsoTmmqfdEANGyZjdEigg1gRc6LWJZ+WawUkhs8ruyj3BjES4cKJFVMG9EBqR7xUpp9jenxBXNmcq2fimoFZTgNZx2ZjRVJOxAMTnjQjrYshoqmSZoAVvf32aRdKUa3lpdEQHlZHppFNQmMzrBkgAc0I37iIA+ZdPUcBVforgFNRPAA0f5OxCOrSGsLPHOHdWOr9/qmdec+JFxrJI0/qwQeqUJIGOp+vXH+42pQqGoqSrPWAcEkhcJ9w1MeAx3MStUOnII2vTmb8Toj1lC8nM2QCwBe3/Xw1Ef3eoyv51JDPuaVH5YchzzdfyV9mur9zSnh+huGc4Tt1NktJNK+z4JblD+Q8F82OXtR5YzLVBaELgFhVZHZbqI08M5u0Nv1UGXvU+uIohy73HSWa7H7KXOGqbaTV+pnEMVNKoVcMdGDv+TinkLpLiP8BbRuy25o+6tvFKtxGiiIQlp2qmOLvWdY4FvNKOOepu/J6OJjmwRMxg6tfdlg73m+Bn278iRh72lJHM1VMI3pclZNNbVGkReMs+7AZZN9EwEo0gHmI3hyL8C3txxS+czUJoRubZAchjiQPizsvUHECDc5YKz7wdCXt1seCTezbZmD/t0jJ2eR4AK/LmXCHC84btiup14t8kZDAI5LqzCe9OEXvcrhmzweOGNfCQahCEpN3l+vR+fabr3TyU83KFt0x776GW+7eGZ5VZV5yALlHn726zdsyWd6hsEBco2FKRExgWRboRpuwSd95t2HSUW9XpmQ/OkOQlf6SfkjPW6q16F7WDoUXHxuPgYbJPj47WJmUgEKDHCSqgvobyTn9RyZ9IK7jUd7ptwQdCFGKbGmiAhZaWRbWiA+b3GkOWyXoWRfv+ltJah/QFXGar7FVwM92qlUC/FrALkA/5XBAmrDOrdOIXVAQxiLBBp5szQQpsb0fcfqTHx1wki0KBEFc9jvdsaUwWJw9d/5jCW0V3h5yoYwr2BxNmq5+ef/O14pyH4VzDMYaQ40tcj2ckvnE5Vk10AELNhnY3PfGbbJpXTU2xhySTGQw7fofT+FCkiSHfayU8Sbwli6PgREzwlbzDbzJfMWOIDeU=
X-Microsoft-Exchange-Diagnostics: 1; TY1PR01MB0207; 5:Tvq1hIyFbfTMtYMLkVmflpnrll9d4atIzMhy6DSVdD+THN+Oco3wMQxoGWg2rZcLf7R3evymAbH7Tf8II7ysrf0hcgtF0SiVDS65K8yEQw5888UQGr8UO8TX4/xHIZPWuvkcaCKXwehnh+uN+6gIww==; 24:QofL/7LuK3T9wgF83vCI7htx+WPyK04ke7W4cfw/hKDN+EHsC4wOR/mlDk1BNPVGqoe9BIzZxP1zR1KshtIKiKDEkFyCNsUCV8lAqMUOjx4=; 20:t9q//hsv84oQ143kLhfMk2/vC2Sk+wRAy8klXdikJ3RZ8HGluSXwFYYWLycSkap4jMMbwYSu+SGUTFKUEKHRAg==
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: aist.go.jp
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jul 2015 08:32:33.9490 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY1PR01MB0207
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/KMSKWDLe3StZZwMhhFAC69La1dw>
Subject: Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 08:32:40 -0000

Dear Rifaat,

I'm happy on seeing some interest on using strong PAKE-based
cryptography on HTTP authentication, but I also have several
questions/concerns about your current proposal.
I'll first express my general questions and suggestions,
followed by my technical reviews and suggestions in a separate email.


Could you tell us why do you think this proposal is needed?
Is there any specific request for this technology in this form, or
is it just a general motivation for PAKE to be used in HTTP?

I have been designing Mutual auth as a general framework for
augmented PAKE-based HTTP authentication, and implemented
several mechanisms to let it working effectively.
For example, the session key caching and replay-preventing
nonce-counter is a key mechanism to avoid heavy public-key
cryptographic operations in every request-response pair.

If you have no specific reasons for implementing SRP in that specific form,
I recommend to try writing it as an additional authentication algorithm
for the Mutual scheme.  It will avoid re-inventing many required wheels
for effective use of heavy PAKE mechanisms which your draft currently lacks.

# After finishing (significant portion of) my own work for Mutual auth,
# I could possibly be able to volunteer writing SRP-based auth algorithm
# for Mutual scheme, to find out whether it will work successfully or not.

Also, I have to mention that we've submitted our drafts first
to httpbis WG in 2012 as a chairs' requirement for including
it as chartered discussion candidates.  That's how the current
HTTPAUTH WG was formed with current candidates.
I'm little bit surprised to see this proposal on this time period.
If we've seen it long before, I could be working more on considering
your specific requirements merged into Mutual proposal.
# I also have asked several times for comments on the choice of
# PAKE variants for basic Mutual uses, without any strong
# suggestions for changing it from the current form.


Regards,

Yutaka

On 2015/06/01 0:53, Rifaat Shekh-Yusef wrote:
> Hi,
> 
> Yaron and I have just submitted a draft that defines a new authentication
> scheme based on the SRP protocol, to be used with the HTTP Authentication
> Framework.
> We would appreciate any thoughts, reviews, and feedback on this document.
> 
> Regards,
>  Rifaat
> 
> 
> 
> 
> ---------- Forwarded message ----------
> From: <internet-drafts@ietf.org>
> Date: Sun, May 31, 2015 at 11:48 AM
> Subject: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt
> To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Yaron Sheffer <
> yaronf.ietf@gmail.com>
> 
> 
> 
> A new version of I-D, draft-yusef-httpauth-srp-scheme-00.txt
> has been successfully submitted by Rifaat Shekh-Yusef and posted to the
> IETF repository.
> 
> Name:           draft-yusef-httpauth-srp-scheme
> Revision:       00
> Title:          HTTP Secure Remote Password (SRP) Authentication Scheme
> Document date:  2015-05-31
> Group:          Individual Submission
> Pages:          11
> URL:
> https://www.ietf.org/internet-drafts/draft-yusef-httpauth-srp-scheme-00.txt
> Status:
> https://datatracker.ietf.org/doc/draft-yusef-httpauth-srp-scheme/
> Htmlized:
> https://tools.ietf.org/html/draft-yusef-httpauth-srp-scheme-00
> 
> 
> Abstract:
>    This document defines an HTTP Authentication Scheme that is based on
>    the Secure Remote Password (SRP) protocol.  The SRP protocol is an
>    Augmented Password Authenticated Key Exchange (PAKE) protocol
>    suitable for authenticating users and exchanging keys over an
>    untrusted network.
> 
> 
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> The IETF Secretariat
> 
> 
> 
> _______________________________________________
> http-auth mailing list
> http-auth@ietf.org
> https://www.ietf.org/mailman/listinfo/http-auth
> 

-- 
Yutaka OIWA, Ph.D.               Cyber Physical Architecture Research Group
                                  Information Technology Research Institute
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

v2.23.0 | Report a Bug | By Email