Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt
Yutaka OIWA <y.oiwa@aist.go.jp> Mon, 20 July 2015 08:32 UTC
Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AAF41A1A38 for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 01:32:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Level:
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_ABOUTYOU=0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id scF3r-mQc9Kh for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 01:32:39 -0700 (PDT)
Received: from APAC01-HK1-obe.outbound.protection.outlook.com (mail-hk1on0057.outbound.protection.outlook.com [134.170.140.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2166C1A09CF for <http-auth@ietf.org>; Mon, 20 Jul 2015 01:32:38 -0700 (PDT)
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;
Received: from [31.133.177.67] (31.133.177.67) by TY1PR01MB0207.jpnprd01.prod.outlook.com (10.161.135.142) with Microsoft SMTP Server (TLS) id 15.1.219.17; Mon, 20 Jul 2015 08:32:33 +0000
Message-ID: <55ACB208.6000208@aist.go.jp>
Date: Mon, 20 Jul 2015 17:32:08 +0900
From: Yutaka OIWA <y.oiwa@aist.go.jp>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, "http-auth@ietf.org" <http-auth@ietf.org>
References: <20150531154835.3639.52041.idtracker@ietfa.amsl.com> <CAGL6epJ=dQw9FZS7aUX3B6oLJUw-s9+ARMbrjjZ0K+283inCkg@mail.gmail.com>
In-Reply-To: <CAGL6epJ=dQw9FZS7aUX3B6oLJUw-s9+ARMbrjjZ0K+283inCkg@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [31.133.177.67]
X-ClientProxiedBy: BLUPR01CA038.prod.exchangelabs.com (25.160.23.28) To TY1PR01MB0207.jpnprd01.prod.outlook.com (25.161.135.142)
X-Microsoft-Exchange-Diagnostics: 1; TY1PR01MB0207; 2:4t9O/s/KbqOqr75dM2uc3fWfElAIOTB5VTV9fLBoL7nCsfGuzDAQWPbfQgnbsxGA; 3:4wzl3DNzfAQRGvx7nU2OIu5AASP/hPizK+JEBeE2EkUfVBrupgWmo7pfqRxln1QywmCAOenrwXSd4PvWJ/0FBqywYzCzQPxkkNqaoPhBhNo0DrS9OYNjIV4JASzpJJJHcDDaGmo39RxII1XmF/BVvw==; 25:NnxkUNZ5qlrq0/6L7cf+UtOMfcX+yEjBFOlqVx5YN1zqpAslimYV3OU0pAq5jlEOBoAuh3bNWbPhTYqZQ1qi2LOj2r0tA7kY+HJL5/rc0n82lK3c61LAx9ruXwz+yedMMBQDSWR/ax4+CBoeorW7bsN1kGVl4Uq+E1Wyx8z8AZpWpXNB4vorH7OUr6Yku7c4uhaM1bqjlkw43OvsACEkeG8m1dkvwoAZdDE1QocE5IP9pC8sIOhzGxLO7pcbagiXLrchP4EokVuslxmfudC2oQ==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:TY1PR01MB0207;
X-Microsoft-Exchange-Diagnostics: 1; TY1PR01MB0207; 20:+lDX6y+aYesz4sL4htI9ZUFSNbUYUwtsivAgfwYeOEN6iruSa613wFSZ8hg2ixUwHlfcTJrvf/JoZ/Drtao85A4WPjeDAIXJI6LSjocz/DtAJWlkyjLuCJ99R8gey0CTH83gZGSkz1VETMw9w5UzfaydZF2PIw5lSlE4rG9gzrvhiq4s6oromGxfAQNi/VIk4MOa6f3TGS85WmZiC24t/Sp1j05UNy62p10zwHHy+loEXt7/0hhhXm0ucu2kQOlwnxA7bMmoveF6CPIJ4aAzVRtAoS+Xpe1Js4oIjnMQ7ySHMPnY3KsquFtF/FiI2/gMQZyzatA/sYYXmDUcgLJxASqHLw7a57kp/YNiwAGJ5Ak19cLVU12JSOPMvzDtp5Pf9/yq8q+aay7blQjv/GAR80fqAXRhmD6HZfuRGcYf0295rWSTYnnG/X/RUebJpsVucHTfsbA696aBmgF8dtpVMGBjirPKZoytKY/t8MN5i8dwZ1paKPhtOPPqO3BCDVNX1/0ybx6JWk0defBN6xac22pJZVdjUw9TvgJlJKIZlqI7I0qbNjazrM9z4+AgYKfU7fQsUSHnqlYZhBr2KXt/nz9SP4gqUacPFF8DR1Y2GUM=; 4:tJYWJDVuk75Fzzf2DtXkgTWvaTiqGw5NJI9QZnd5UHkKgMP37NP+dZmJq8lvwBceVaUzbk2bdSD6WLD9EOPqIIdosw2XVvyJX2zCqUxSjCsR+YzawY8yGEBcyL0xr7OZgJkpVnTN/C/YjergtdH8QO4aTigyewnnA9JjqD9D72i/EF4wgMh4zzJT8tA6CycDd26n1GoH4UTzu7SaaB7PicRRBZ562Rktnr9kpDbiV7zwSpy8YqY33giOafLtP2z4hULTt4T3EHMyxUbJ4/yZqQ==
TY1PR01MB0207: X-MS-Exchange-Organization-RulesExecuted
X-Microsoft-Antispam-PRVS: <TY1PR01MB0207E0F3B535A898A674DFA4A0850@TY1PR01MB0207.jpnprd01.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(5005006)(3002001); SRVR:TY1PR01MB0207; BCL:0; PCL:0; RULEID:; SRVR:TY1PR01MB0207;
X-Forefront-PRVS: 0643BDA83C
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(6049001)(479174004)(377454003)(24454002)(2473001)(377424004)(74482002)(80316001)(4001350100001)(42186005)(59896002)(561944003)(19580405001)(33656002)(2501003)(19580395003)(64126003)(230783001)(86362001)(5001960100002)(189998001)(54356999)(92566002)(46102003)(50986999)(551544002)(23746002)(87976001)(83506001)(122386002)(87266999)(107886002)(2950100001)(15975445007)(77156002)(40100003)(77096005)(65816999)(76176999)(65956001)(65806001)(62966003)(5001920100001)(47776003)(50466002)(5001770100001)(36756003)(66066001)(7099028)(3940600001); DIR:OUT; SFP:1101; SCL:1; SRVR:TY1PR01MB0207; H:[31.133.177.67]; FPR:; SPF:None; MLV:nov; PTR:InfoNoRecords; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; TY1PR01MB0207; 23:wazjqK4ncThdhVNq2yrGQiwm5ZnORvflmalJuMosMQzMwpRh6lbxzZqOHtCJ1nYXGcNzs6ncyEo7juVf8jTLpchDj14y3iELztmTiS8IC3+tetgabsD9+LhAfnuEehjriY/dBhlXbkj60TfUjIOdN3pfW/XfhlOYf7wXiych/JDOsllcViqcrV4DWyD+ImlETguLYQ463OJI2BovRbSywyBD/ZvX1F7YljjoPKFcjVYYsoTmmqfdEANGyZjdEigg1gRc6LWJZ+WawUkhs8ruyj3BjES4cKJFVMG9EBqR7xUpp9jenxBXNmcq2fimoFZTgNZx2ZjRVJOxAMTnjQjrYshoqmSZoAVvf32aRdKUa3lpdEQHlZHppFNQmMzrBkgAc0I37iIA+ZdPUcBVforgFNRPAA0f5OxCOrSGsLPHOHdWOr9/qmdec+JFxrJI0/qwQeqUJIGOp+vXH+42pQqGoqSrPWAcEkhcJ9w1MeAx3MStUOnII2vTmb8Toj1lC8nM2QCwBe3/Xw1Ef3eoyv51JDPuaVH5YchzzdfyV9mur9zSnh+huGc4Tt1NktJNK+z4JblD+Q8F82OXtR5YzLVBaELgFhVZHZbqI08M5u0Nv1UGXvU+uIohy73HSWa7H7KXOGqbaTV+pnEMVNKoVcMdGDv+TinkLpLiP8BbRuy25o+6tvFKtxGiiIQlp2qmOLvWdY4FvNKOOepu/J6OJjmwRMxg6tfdlg73m+Bn278iRh72lJHM1VMI3pclZNNbVGkReMs+7AZZN9EwEo0gHmI3hyL8C3txxS+czUJoRubZAchjiQPizsvUHECDc5YKz7wdCXt1seCTezbZmD/t0jJ2eR4AK/LmXCHC84btiup14t8kZDAI5LqzCe9OEXvcrhmzweOGNfCQahCEpN3l+vR+fabr3TyU83KFt0x776GW+7eGZ5VZV5yALlHn726zdsyWd6hsEBco2FKRExgWRboRpuwSd95t2HSUW9XpmQ/OkOQlf6SfkjPW6q16F7WDoUXHxuPgYbJPj47WJmUgEKDHCSqgvobyTn9RyZ9IK7jUd7ptwQdCFGKbGmiAhZaWRbWiA+b3GkOWyXoWRfv+ltJah/QFXGar7FVwM92qlUC/FrALkA/5XBAmrDOrdOIXVAQxiLBBp5szQQpsb0fcfqTHx1wki0KBEFc9jvdsaUwWJw9d/5jCW0V3h5yoYwr2BxNmq5+ef/O14pyH4VzDMYaQ40tcj2ckvnE5Vk10AELNhnY3PfGbbJpXTU2xhySTGQw7fofT+FCkiSHfayU8Sbwli6PgREzwlbzDbzJfMWOIDeU=
X-Microsoft-Exchange-Diagnostics: 1; TY1PR01MB0207; 5:Tvq1hIyFbfTMtYMLkVmflpnrll9d4atIzMhy6DSVdD+THN+Oco3wMQxoGWg2rZcLf7R3evymAbH7Tf8II7ysrf0hcgtF0SiVDS65K8yEQw5888UQGr8UO8TX4/xHIZPWuvkcaCKXwehnh+uN+6gIww==; 24:QofL/7LuK3T9wgF83vCI7htx+WPyK04ke7W4cfw/hKDN+EHsC4wOR/mlDk1BNPVGqoe9BIzZxP1zR1KshtIKiKDEkFyCNsUCV8lAqMUOjx4=; 20:t9q//hsv84oQ143kLhfMk2/vC2Sk+wRAy8klXdikJ3RZ8HGluSXwFYYWLycSkap4jMMbwYSu+SGUTFKUEKHRAg==
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: aist.go.jp
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jul 2015 08:32:33.9490 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY1PR01MB0207
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/KMSKWDLe3StZZwMhhFAC69La1dw>
Subject: Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 08:32:40 -0000
Dear Rifaat, I'm happy on seeing some interest on using strong PAKE-based cryptography on HTTP authentication, but I also have several questions/concerns about your current proposal. I'll first express my general questions and suggestions, followed by my technical reviews and suggestions in a separate email. Could you tell us why do you think this proposal is needed? Is there any specific request for this technology in this form, or is it just a general motivation for PAKE to be used in HTTP? I have been designing Mutual auth as a general framework for augmented PAKE-based HTTP authentication, and implemented several mechanisms to let it working effectively. For example, the session key caching and replay-preventing nonce-counter is a key mechanism to avoid heavy public-key cryptographic operations in every request-response pair. If you have no specific reasons for implementing SRP in that specific form, I recommend to try writing it as an additional authentication algorithm for the Mutual scheme. It will avoid re-inventing many required wheels for effective use of heavy PAKE mechanisms which your draft currently lacks. # After finishing (significant portion of) my own work for Mutual auth, # I could possibly be able to volunteer writing SRP-based auth algorithm # for Mutual scheme, to find out whether it will work successfully or not. Also, I have to mention that we've submitted our drafts first to httpbis WG in 2012 as a chairs' requirement for including it as chartered discussion candidates. That's how the current HTTPAUTH WG was formed with current candidates. I'm little bit surprised to see this proposal on this time period. If we've seen it long before, I could be working more on considering your specific requirements merged into Mutual proposal. # I also have asked several times for comments on the choice of # PAKE variants for basic Mutual uses, without any strong # suggestions for changing it from the current form. Regards, Yutaka On 2015/06/01 0:53, Rifaat Shekh-Yusef wrote: > Hi, > > Yaron and I have just submitted a draft that defines a new authentication > scheme based on the SRP protocol, to be used with the HTTP Authentication > Framework. > We would appreciate any thoughts, reviews, and feedback on this document. > > Regards, > Rifaat > > > > > ---------- Forwarded message ---------- > From: <internet-drafts@ietf.org> > Date: Sun, May 31, 2015 at 11:48 AM > Subject: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt > To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Yaron Sheffer < > yaronf.ietf@gmail.com> > > > > A new version of I-D, draft-yusef-httpauth-srp-scheme-00.txt > has been successfully submitted by Rifaat Shekh-Yusef and posted to the > IETF repository. > > Name: draft-yusef-httpauth-srp-scheme > Revision: 00 > Title: HTTP Secure Remote Password (SRP) Authentication Scheme > Document date: 2015-05-31 > Group: Individual Submission > Pages: 11 > URL: > https://www.ietf.org/internet-drafts/draft-yusef-httpauth-srp-scheme-00.txt > Status: > https://datatracker.ietf.org/doc/draft-yusef-httpauth-srp-scheme/ > Htmlized: > https://tools.ietf.org/html/draft-yusef-httpauth-srp-scheme-00 > > > Abstract: > This document defines an HTTP Authentication Scheme that is based on > the Secure Remote Password (SRP) protocol. The SRP protocol is an > Augmented Password Authenticated Key Exchange (PAKE) protocol > suitable for authenticating users and exchanging keys over an > untrusted network. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > > _______________________________________________ > http-auth mailing list > http-auth@ietf.org > https://www.ietf.org/mailman/listinfo/http-auth > -- Yutaka OIWA, Ph.D. Cyber Physical Architecture Research Group Information Technology Research Institute National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
- [http-auth] Fwd: New Version Notification for dra… Rifaat Shekh-Yusef
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA
- Re: [http-auth] Fwd: New Version Notification for… Rifaat Shekh-Yusef
- Re: [http-auth] Fwd: New Version Notification for… Rifaat Shekh-Yusef
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA