Re: [http-auth] Why update Digest Auth?
Yoav Nir <ynir@checkpoint.com> Mon, 22 July 2013 09:25 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A610E21F9E6E for <http-auth@ietfa.amsl.com>; Mon, 22 Jul 2013 02:25:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.557
X-Spam-Level:
X-Spam-Status: No, score=-10.557 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fFq4LvIY7s9A for <http-auth@ietfa.amsl.com>; Mon, 22 Jul 2013 02:25:34 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id E57F011E8109 for <http-auth@ietf.org>; Mon, 22 Jul 2013 02:17:24 -0700 (PDT)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r6M9GuB3005010; Mon, 22 Jul 2013 12:16:56 +0300
X-CheckPoint: {51ECF888-1E-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.48]) by IL-EX10.ad.checkpoint.com ([169.254.2.91]) with mapi id 14.02.0342.003; Mon, 22 Jul 2013 12:16:56 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, HTTP Auth WG <http-auth@ietf.org>
Thread-Topic: [http-auth] Why update Digest Auth?
Thread-Index: AQHOhWbnTRKd/bWOG0ubR0Cbu4hLSJlwa0vg
Date: Mon, 22 Jul 2013 09:16:56 +0000
Message-ID: <4613980CFC78314ABFD7F85CC302772111A9EE0E@DAG-EX10.ad.checkpoint.com>
References: <51EABBDB.2090401@gmail.com>
In-Reply-To: <51EABBDB.2090401@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [91.90.139.27]
x-kse-antivirus-interceptor-info: protection disabled
x-cpdlp: 1119a33acaa4650251d6ca97824121e5e2436bdda9
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [http-auth] Why update Digest Auth?
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2013 09:25:42 -0000
I'm not totally opposed, but if we replace Digest with some ZKPP, it's not Digest any more. Two of our experimental drafts are "better digests" - MutualAuth and SCRAM. MutualAuth is mature, has implementations, and I don't see why it shouldn't be ready to progress almost as fast as Digest. Do you think that enterprises would require "Digest" rather than "MutualAuth" or "SCRAM" just because it's called "Digest"? Hopefully these new methods will also support international user names and passwords (because specifying a user authentication method is 2013 that does not support non-English names is even sillier than specifying one that relies on MD5 for security). Then it's up to the enterprises to decide what they want to require vendors to implement. Yoav -----Original Message----- From: http-auth-bounces@ietf.org [mailto:http-auth-bounces@ietf.org] On Behalf Of Yaron Sheffer Sent: Saturday, July 20, 2013 7:34 PM To: HTTP Auth WG Subject: [http-auth] Why update Digest Auth? Sorry for questioning the group's charter, but this keeps bugging me: I'm assuming this WG will publish two Standards Track RFCs, updating Basic and Digest Auth. And a pile of Experimental RFCs with all sorts of lovely state-of-the-art crypto. Enterprises will require vendors to implement the updated Basic and Digest, and in a few years' time we will end up with the worlds' browsers and Web servers supporting Basic and Digest Auth with I18N and (for Digest) crypto agility. Almost nobody will implement the other drafts. In addition, the websec WG will hopefully work on "session continuation", which will extend the authentication to the whole session in a better way than cookies, and will provide channel binding. Assuming much of the Internet's traffic will remain unencrypted for years, this will be "good enough" security for this traffic. But, it won't work with Digest (because it is not "key generating", to borrow an EAP term). Now my question: we are telling implementors to upgrade Digest to gain I18N (and the algorithm agility, which in this case is mostly security theater, because when using short passwords we remain vulnerable to a dictionary attack anyway). Why not tell them *instead* to move to Digest-v2, which is dictionary attack resistant? Digest-v2 could be based on EKE or SRP, or maybe on draft-oiwa-http-mutualauth, and will support session continuation. Seems to me this would be a much better use of our time, as well as implementors' energy. Thanks, Yaron
- [http-auth] Why update Digest Auth? Yaron Sheffer
- Re: [http-auth] Why update Digest Auth? Henry B. Hotz
- Re: [http-auth] Why update Digest Auth? Stephen Farrell
- Re: [http-auth] Why update Digest Auth? Yoav Nir
- Re: [http-auth] Why update Digest Auth? Rifaat Shekh-Yusef
- Re: [http-auth] Why update Digest Auth? Paul Hoffman
- Re: [http-auth] Why update Digest Auth? Yaron Sheffer
- Re: [http-auth] Why update Digest Auth? Yaron Sheffer
- Re: [http-auth] Why update Digest Auth? Yaron Sheffer
- Re: [http-auth] Why update Digest Auth? Rifaat Shekh-Yusef