IETF Logo Mail Archive

Re: [http-auth] I-D Action: draft-morand-http-digest-2g-aka-03.txt

<lionel.morand@orange.com> Wed, 04 September 2013 12:52 UTC

Return-Path: <lionel.morand@orange.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 209BC21F92B8 for <http-auth@ietfa.amsl.com>; Wed, 4 Sep 2013 05:52:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.394
X-Spam-Level:
X-Spam-Status: No, score=-2.394 tagged_above=-999 required=5 tests=[AWL=0.204, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KVXzL+QWxC3p for <http-auth@ietfa.amsl.com>; Wed, 4 Sep 2013 05:52:19 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias91.francetelecom.com [193.251.215.91]) by ietfa.amsl.com (Postfix) with ESMTP id A0BED21F92A5 for <http-auth@ietf.org>; Wed, 4 Sep 2013 05:52:18 -0700 (PDT)
Received: from omfedm07.si.francetelecom.fr (unknown [xx.xx.xx.3]) by omfedm10.si.francetelecom.fr (ESMTP service) with ESMTP id AA16C264123; Wed, 4 Sep 2013 14:52:17 +0200 (CEST)
Received: from Exchangemail-eme1.itn.ftgroup (unknown [10.114.1.186]) by omfedm07.si.francetelecom.fr (ESMTP service) with ESMTP id 8CD0F4C060; Wed, 4 Sep 2013 14:52:17 +0200 (CEST)
Received: from PEXCVZYM13.corporate.adroot.infra.ftgroup ([fe80::cc7e:e40b:42ef:164e]) by PEXCVZYH01.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.02.0328.009; Wed, 4 Sep 2013 14:52:17 +0200
From: lionel.morand@orange.com
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Yoav Nir <ynir@checkpoint.com>
Thread-Topic: [http-auth] I-D Action: draft-morand-http-digest-2g-aka-03.txt
Thread-Index: AQHOqO0x4VUH1Q04oE6/Sjwm6AIdUZm1XyZA
Date: Wed, 04 Sep 2013 12:52:16 +0000
Message-ID: <22825_1378299137_52272D01_22825_6326_1_6B7134B31289DC4FAF731D844122B36E262094@PEXCVZYM13.corporate.adroot.infra.ftgroup>
References: <20130121181639.10474.27297.idtracker@ietfa.amsl.com> <5225E5BD.9040306@ieca.com> <D4896BEB-F6BA-4712-8345-96CA945020FC@checkpoint.com> <52265596.9090604@gmail.com>
In-Reply-To: <52265596.9090604@gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.197.38.3]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2013.9.4.120616
X-Mailman-Approved-At: Wed, 04 Sep 2013 05:55:05 -0700
Cc: "<http-auth@ietf.org>" <http-auth@ietf.org>
Subject: Re: [http-auth] I-D Action: draft-morand-http-digest-2g-aka-03.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2013 12:52:32 -0000

Hi Yaron,

I was assuming that the TLS specific requirements could have been left out of this document, as these requirements/recommendations can be found in other documents (e.g. RFCs or 3GPP specifications) and it is assumed that people using such TLS certificate-based server authentication will refer to them. 

In the mobile context, it is assumed that the client uses a preconfigured list of trusted root certificates for server certificate validation. The use of a small set of CAs trusted by the home mobile operator limits the risk of root certificates associated with a compromised CA.

I don't know if such details are needed in the doc. What would be your recommendation?

About Independent Submission vs. WG document, as I said, I have no strong opinion. It was concluded that the mechanism was maybe too specific to be part of the new httpauth WG charter. The same conclusion was reached about the discussion on moving RFC3310 (Digest 3G AKA) from informational to Proposed Standard RFCs. There was no intention to bypass any specific expertise. The idea is just to document within IETF the Digest 2G AKA mechanism, as a companion of the RFC3310.

Regards,

Lionel

-----Message d'origine-----
De : Yaron Sheffer [mailto:yaronf.ietf@gmail.com] 
Envoyé : mardi 3 septembre 2013 23:33
À : Yoav Nir
Cc : Sean Turner; <http-auth@ietf.org>; MORAND Lionel IMT/OLN
Objet : Re: [http-auth] I-D Action: draft-morand-http-digest-2g-aka-03.txt

While I agree with Yoav that this draft requires expertise that we 
(httpauth) probably do not have, I also have a major issue with the draft.

Although TLS is proposed as a solution for mutual auth, there are no 
requirements on the server's identity and so there is no way specified 
to actually authenticate the server.

As a result, I suspect that this method can be used by a MITM attacker 
to impersonate another IMSI ("user" in common terms) for regular 
AKA-based authentication.

Thanks,
	Yaron

On 09/03/2013 08:39 PM, Yoav Nir wrote:
> Hi Sean,
>
> Looking over the discussion in httpbis ([1]), it's not clear to me whether this is documenting existing practice or whether it's proposing a new method. Either way, this method seems specific to a domain, where I believe the author has much more expertise than people in the working group. I am personally fine with it proceeding as an independent submission. I would also be fine with the working group discussing this, but I don't know how much value we could add.
>
> Yoav (with no hats)
> [1] http://lists.w3.org/Archives/Public/ietf-http-wg/2012AprJun/0375.html
>
> On Sep 3, 2013, at 4:35 PM, Sean Turner <turners@ieca.com> wrote:
>
>> Hi!
>>
>> The following draft is currently on the IESG telechat for next week and as part of the process an AD does what's called and "RFC 5742 review", which is basically a check to see if there's been an endrun on the process.   This draft has been around for a while and I know it was at least discussed on the httpbis wg mailing list in early '12 (and maybe even earlier), but that was before the httpauth working group was chartered.  So I gotta ask: Is this something that the working group should consider adopting?
>>
>> spt
>> -------- Original Message --------
>> Subject: I-D Action: draft-morand-http-digest-2g-aka-03.txt
>> Date: Mon, 21 Jan 2013 10:16:39 -0800
>> From: internet-drafts@ietf.org
>> Reply-To: internet-drafts@ietf.org
>> To: i-d-announce@ietf.org
>>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>
>>
>> 	Title           : Hypertext Transfer Protocol (HTTP) Digest Authentication Using GSM 2G Authentication and Key Agreement (AKA)
>> 	Author(s)       : Lionel Morand
>> 	Filename        : draft-morand-http-digest-2g-aka-03.txt
>> 	Pages           : 15
>> 	Date            : 2013-01-21
>>
>> Abstract:
>>    This memo specifies a one-time password generation mechanism for
>>    Hypertext Transfer Protocol (HTTP) Digest access authentication based
>>    on Global System for Mobile Communications (GSM) authentication and
>>    key generation functions A3 and A8, also known as GSM AKA or 2G AKA.
>>    The HTTP Authentication Framework includes two authentication
>>    schemes: Basic and Digest.  Both schemes employ a shared secret based
>>    mechanism for access authentication.  The GSM AKA mechanism performs
>>    user authentication and session key distribution in GSM and Universal
>>    Mobile Telecommunications System (UMTS) networks.  GSM AKA is a
>>    challenge-response based mechanism that uses symmetric cryptography.
>>
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-morand-http-digest-2g-aka
>>
>> There's also a htmlized version available at:
>> http://tools.ietf.org/html/draft-morand-http-digest-2g-aka-03
>>
>> A diff from the previous version is available at:
>> http://www.ietf.org/rfcdiff?url2=draft-morand-http-digest-2g-aka-03
>>
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> _______________________________________________
>> I-D-Announce mailing list
>> I-D-Announce@ietf.org
>> https://www.ietf.org/mailman/listinfo/i-d-announce
>> Internet-Draft directories: http://www.ietf.org/shadow.html
>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>>
>>
>>
>> _______________________________________________
>> http-auth mailing list
>> http-auth@ietf.org
>> https://www.ietf.org/mailman/listinfo/http-auth
>
> _______________________________________________
> http-auth mailing list
> http-auth@ietf.org
> https://www.ietf.org/mailman/listinfo/http-auth
>

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email