Re: [http-auth] FW: New Version Notification for draft-woodworth-json-http-auth-00.txt

"Manger, James" <> Mon, 06 March 2017 02:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9946B12955F for <>; Sun, 5 Mar 2017 18:44:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6_7z8JIjamvY for <>; Sun, 5 Mar 2017 18:44:55 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 374DD12943B for <>; Sun, 5 Mar 2017 18:44:54 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.35,251,1483966800"; d="scan'208";a="140398708"
Received: from unknown (HELO ([]) by with ESMTP; 06 Mar 2017 13:44:51 +1100
X-IronPort-AV: E=McAfee;i="5800,7501,8458"; a="315987459"
Received: from ([]) by with ESMTP; 06 Mar 2017 13:44:51 +1100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 8.3.485.1; Mon, 6 Mar 2017 13:44:50 +1100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1236.3; Mon, 6 Mar 2017 13:44:00 +1100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Mon, 6 Mar 2017 13:44:00 +1100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-team-telstra-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Px39bsKZPtzciAPToXbmWYlYAClpvjZk8iL/BbNqBCY=; b=lkb+ufEi5+C+WtHqoui7DZGKtuHzsdDqPVkPepN33BJyMIKHkudEMK64omJxupNX1pgdNaPwARqpKGfYgmzWbs3vxqaO3XPf+5acwclgBPUendUp7gbAGScuVPf5omrvHcg05UN2LUlZ3JmOG3HfvFZk8kVNG97SVlcJJtIzt5k=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.12; Mon, 6 Mar 2017 02:44:00 +0000
Received: from ([]) by ([]) with mapi id 15.01.0947.018; Mon, 6 Mar 2017 02:44:00 +0000
From: "Manger, James" <>
To: "Woodworth, John R" <>, "" <>
Thread-Topic: [http-auth] FW: New Version Notification for draft-woodworth-json-http-auth-00.txt
Thread-Index: AdKWIe47Nsjve9cLQxGv18uJXOQWaA==
Date: Mon, 06 Mar 2017 02:44:00 +0000
Message-ID: <>
Accept-Language: en-AU, en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 54c87e40-16c4-4a7d-36db-08d4643aa4df
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:SYXPR01MB1615;
x-microsoft-exchange-diagnostics: 1; SYXPR01MB1615; 7:VA633BKTFPnSA4Vo9ih+ttCZrzuVH01qdIfc4pOTtNyiO8mzWBcjxw0y64il3ixFec5KckMaWoCaPcoZvqeZcTz0eALfoKrMoeoQN//uonxnlPMydFfc+bpg6rr73lJJHsfE+CfnrGIp7NWH74d7gj0RlxVuZi9VSsaEw/Sbi7A0Le80bsvEwJ64bmowx8tlJqCFFI1Ke221vexP/BBpu0YweAJ2T1acKTicDkz4TSqPKHgBs2eNlIa/4d9Stc/CDDOUkgxzSCxrAe0jnl5lmyujTxAS0OtNDI51miqt9RCUtsplaIzFqpesjmJ4UIovmvUkL+GGSllytbqICF7TKA==
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(158342451672863)(120809045254105);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041248)(20161123558025)(20161123564025)(20161123562025)(20161123560025)(20161123555025)(6072148); SRVR:SYXPR01MB1615; BCL:0; PCL:0; RULEID:; SRVR:SYXPR01MB1615;
x-forefront-prvs: 0238AEEDB0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39450400003)(15594002)(377424004)(13464003)(377454003)(4326008)(5660300001)(38730400002)(3280700002)(305945005)(50986999)(86362001)(54356999)(66066001)(3660700001)(2900100001)(8676002)(81166006)(74316002)(53546006)(189998001)(8936002)(7696004)(2906002)(15650500001)(77096006)(6506006)(33656002)(7736002)(42882006)(2501003)(5890100001)(551544002)(53936002)(6436002)(55016002)(99286003)(9686003)(6306002)(230783001)(102836003)(92566002)(25786008)(3846002)(6116002)(122556002); DIR:OUT; SFP:1102; SCL:1; SRVR:SYXPR01MB1615;; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2017 02:44:00.1961 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYXPR01MB1615
Archived-At: <>
Cc: "Ballew, Dean" <>
Subject: Re: [http-auth] FW: New Version Notification for draft-woodworth-json-http-auth-00.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: HTTP authentication methods <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 06 Mar 2017 02:44:58 -0000

The "password" variant sends the same info as BASIC, just with a different syntax. It is hard to see the point. Surely a normal BASIC header could be passed to client-side scripting just as easily as a re-formatted version?

The "challenge" variant looks like it is trying to mimic the DIGEST scheme, with a different syntax, and with the crypto applied slightly differently. The crypto changes look more dangerous than helpful. DIGEST at least separated the concepts of a Hash from a MAC (Keyed Digest), even if the latter used the former in too simple a way. In DIGEST the password is hashed with the username and realm to form a secret key, but not in "challenge". A new spec today should use a proper MAC algorithm, such as HMAC.

Quirks from DIGEST seem to be repeated in "challenge", such as separate "nonce" and "opaque" members despite both being: chosen by the server; opaque to the client; hashed into the response; and returned to the server.

The highly recommended "nonce" construction looks poor. A 36-char random UUID just to provide uniqueness within the 10µs window of the time component (eg 1488442706.13154) is overkill. Hashing a concatenation of nonce parts and a secret is the sort of ad hoc crypto that should be avoided. Use a proper MAC algorithm instead.

JSON has arrays so why not use an array for the "algorithms" member, instead of a comma-separated string with a rule to ignore whitespace?

The mix of base64, lowercase-hex, and UUID encoding; plus commas, slashes, hyphens, and colons as separators is a bit messy.

Suggesting window.AuthHandler() as a place to host handlers (without specifying actual APIs) sounds like it will ruin this place for use once something interoperable is actually defined.

Your pretty JSON format with commas at the start of the next line (instead of the end of the previous line) is a cute convention.
         "type"     : "password"
        ,"username" : "MyUser"
        ,"password" : "MyPassword"
James Manger

-----Original Message-----
From: http-auth [] On Behalf Of Woodworth, John R
Sent: Friday, 3 March 2017 8:17 PM
Cc: Ballew, Dean <>
Subject: [http-auth] FW: New Version Notification for draft-woodworth-json-http-auth-00.txt


I understand this is late to the party but was hoping some of you may have time to review our new draft.  We welcome any questions, comments and assistance from the group.

-----Original Message-----
From: []

A new version of I-D, draft-woodworth-json-http-auth-00.txt
has been successfully submitted by John Woodworth and posted to the IETF repository.

Name:           draft-woodworth-json-http-auth
Revision:       00
Title:          HTTP Authentication - |JSON| Scheme
Document date:  2017-02-28
Group:          Individual Submission
Pages:          17

   The |JSON| authentication scheme provides a mechanism for exchanging
   authentication challenges and credentials as objects in the form of
   JavaScript Object Notation (JSON).  This scheme offers a secure
   mechanism of providing authenticated access to a set of protected
   HTTP resources which may be handled by scripting utility framework as
   in XMLHttpRequest calls (AJAX) or directly by the client's user
   agent.  This chaining feature is unique to this scheme.

Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at

The IETF Secretariat

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
http-auth mailing list