[http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
"Richard Barnes" <rlb@ipv.sx> Thu, 08 January 2015 00:20 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58B721AC39E; Wed, 7 Jan 2015 16:20:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P0l6vbWZEkuK; Wed, 7 Jan 2015 16:20:17 -0800 (PST)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 40E7D1AC39A; Wed, 7 Jan 2015 16:20:15 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Richard Barnes <rlb@ipv.sx>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.10.0.p5
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150108002015.24345.3508.idtracker@ietfa.amsl.com>
Date: Wed, 07 Jan 2015 16:20:15 -0800
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/LdtNdoyyqiCjMobK-v8wXg2O8j4
Cc: draft-ietf-httpauth-hoba.all@tools.ietf.org, http-auth@ietf.org, httpauth-chairs@tools.ietf.org
Subject: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jan 2015 00:20:19 -0000
Richard Barnes has entered the following ballot position for draft-ietf-httpauth-hoba-09: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: http://datatracker.ietf.org/doc/draft-ietf-httpauth-hoba/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- (1) It does not seem to me that the mechanism defined in this document actually conforms to the framework for HTTP authentication. The general framework defined in RFC 7235 is all scoped to a resource -- you can implement authorization for a specific resource, without impacting anything else on the server. HOBA, by contrast, requires the authenticating resource to be also be correlated to several resource under .well-known, meaning that it will not be usable in a large number of deployment circumstances. Was this issue discussed in the WG, and was there input from the broader HTTP community? (2) What is your justification for using a SHA-1 based signature in a new protocol, when it is being actively deprecated elsewhere, in particular the web PKI? (3) "RSA modulus lengths of at least 2048 bits SHOULD be used." -> MUST (4) Given that the size of the header seems to be a concern (since you're not passing the key in the header), why are there no ECC signing algorithms defined? It seems like if you used any of the normal curves, you could comfortably pass the key along with the authentication value. (5) For that matter, why bother defining a new algorithm registry at all, when JWA provides a perfectly nice one that only costs you 4 characters. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- The HOBA-TBS construction seems really unnecessarily complicated. Other than in the "origin" component, there are no ":" characters allowed in any of the components, so if you could remove the unnecessarily pretty serialization of the origin, you could just use ':' as a delimiter. Or leave the origin, and delimit with something like %x20. Either way, this length construction seems like a pain to implement by comparison. "alg = 1*2DIGIT" - In general, it seems unwise to limit code point spaces unnecessarily. In addition to the funny title of Section 6.2.2, the contents seem kind of risible as well. Making a OTP is 100% equivalent to the mechanism recommended in Section 6.2.3, and arguably more likely to deploy (since the OTP doesn't have special semantics of being a URI). Please update the algorithms so that the reader doesn't have to go look up which algorithm this is (PKCS1 vs. PSS). OLD: "RSA is defined in Section 8.2 of [RFC3447]" NEW: "RSA indicates the RSASSA-PKCS1-v1_5 defined in Section 8.2 of [RFC3447]" Given how convoluted the use case is here, an example would be very helpful. At the very least to demonstrate the syntax of the WWW-Authenticate header.
- [http-auth] Richard Barnes' Discuss on draft-ietf… Richard Barnes
- Re: [http-auth] Richard Barnes' Discuss on draft-… Stephen Farrell
- Re: [http-auth] Richard Barnes' Discuss on draft-… Paul Hoffman
- Re: [http-auth] Richard Barnes' Discuss on draft-… Stephen Farrell
- Re: [http-auth] Richard Barnes' Discuss on draft-… Richard Barnes
- Re: [http-auth] Richard Barnes' Discuss on draft-… Stephen Farrell
- Re: [http-auth] Richard Barnes' Discuss on draft-… Richard Barnes
- Re: [http-auth] Richard Barnes' Discuss on draft-… Stephen Farrell
- Re: [http-auth] Richard Barnes' Discuss on draft-… Kathleen Moriarty
- Re: [http-auth] Richard Barnes' Discuss on draft-… Stephen Farrell
- Re: [http-auth] Richard Barnes' Discuss on draft-… Kathleen Moriarty
- Re: [http-auth] Richard Barnes' Discuss on draft-… Stephen Farrell
- Re: [http-auth] Richard Barnes' Discuss on draft-… Julian Reschke
- Re: [http-auth] Richard Barnes' Discuss on draft-… Barry Leiba
- Re: [http-auth] Richard Barnes' Discuss on draft-… Richard Barnes
- Re: [http-auth] Richard Barnes' Discuss on draft-… Julian Reschke