IETF Logo Mail Archive

Re: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)

Paul Hoffman <paul.hoffman@vpnc.org> Thu, 08 January 2015 01:19 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 926051AC3C0; Wed, 7 Jan 2015 17:19:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cDmvXQy0XaNU; Wed, 7 Jan 2015 17:19:23 -0800 (PST)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E21401A87D5; Wed, 7 Jan 2015 17:19:22 -0800 (PST)
Received: from [10.20.30.90] (50-1-98-91.dsl.dynamic.fusionbroadband.com [50.1.98.91]) (authenticated bits=0) by proper.com (8.15.1/8.14.7) with ESMTPSA id t081JIfi071944 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Jan 2015 18:19:19 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 50-1-98-91.dsl.dynamic.fusionbroadband.com [50.1.98.91] claimed to be [10.20.30.90]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <20150108002015.24345.3508.idtracker@ietfa.amsl.com>
Date: Wed, 07 Jan 2015 17:19:18 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <CAEB21E0-EF1C-4F48-8434-1B85AEC3C113@vpnc.org>
References: <20150108002015.24345.3508.idtracker@ietfa.amsl.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/WFODywuWjezRbJLI8pH6O8JaQ2M
Cc: draft-ietf-httpauth-hoba.all@tools.ietf.org, http-auth@ietf.org, httpauth-chairs@tools.ietf.org, The IESG <iesg@ietf.org>
Subject: Re: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jan 2015 01:19:24 -0000

On Jan 7, 2015, at 4:20 PM, Richard Barnes <rlb@ipv.sx> wrote:
> (1) It does not seem to me that the mechanism defined in this document
> actually conforms to the framework for HTTP authentication.  The general
> framework defined in RFC 7235 is all scoped to a resource -- you can
> implement authorization for a specific resource, without impacting
> anything else on the server.  HOBA, by contrast, requires the
> authenticating resource to be also be correlated to several resource
> under .well-known, meaning that it will not be usable in a large number
> of deployment circumstances.  Was this issue discussed in the WG, and was
> there input from the broader HTTP community?

Yes and yes. (Stephen is wrong that it was not.) The "authenticating resource" in HOBA is purposely more expressive than that in RFC 7235, and thus takes more primitives than HTTP auth. There was plenty of WG discussion around this.


> (2) What is your justification for using a SHA-1 based signature in a new
> protocol, when it is being actively deprecated elsewhere, in particular
> the web PKI?

RSA-SHA1 is widely implemented, and thus it seemed appropriate for a MAY-level definition when there is a more popular algorithm (RSA-SHA256) at MUST-level. Until RSA-SHA1 is a "MUST NOT" everywhere, there is no danger to having it here.

> (3) "RSA modulus lengths of at least 2048 bits SHOULD be used." -> MUST

There is no interoperability mandate for particular RSA key lengths, so "SHOULD" is more appropriate here (until the IESG finally gets around to updating RFC 2119...).

> (4) Given that the size of the header seems to be a concern (since you're
> not passing the key in the header), why are there no ECC signing
> algorithms defined?  It seems like if you used any of the normal curves,
> you could comfortably pass the key along with the authentication value.

Because there is not yet agreement on which ECC signing algorithms are likely to be popular in a year or two. We're watching the CFRG discussion, and it is not yet coming to consensus. When it does, this Experimental RFC can be updated.

> (5) For that matter, why bother defining a new algorithm registry at all,
> when JWA provides a perfectly nice one that only costs you 4 characters.

We did not want to be tied to the JWA registry, given that JOSE could go in quite different directions.

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> The HOBA-TBS construction seems really unnecessarily complicated.  Other
> than in the "origin" component, there are no ":" characters allowed in
> any of the components, so if you could remove the unnecessarily pretty
> serialization of the origin, you could just use ':' as a delimiter.  Or
> leave the origin, and delimit with something like %x20.  Either way, this
> length construction seems like a pain to implement by comparison.

We started with a less complex construction, and the WG specifically asked for this.

> "alg = 1*2DIGIT" - In general, it seems unwise to limit code point spaces
> unnecessarily.

It is also unwise to have more than 99 possible algorithms for signing.

> In addition to the funny title of Section 6.2.2, the contents seem kind
> of risible as well.  Making a OTP is 100% equivalent to the mechanism
> recommended in Section 6.2.3, and arguably more likely to deploy (since
> the OTP doesn't have special semantics of being a URI).

There is wide disagreement on what is more likely to deploy. Also, I'm pretty sure Stephen is correct about your view on OTP here.

> Please update the algorithms so that the reader doesn't have to go look
> up which algorithm this is (PKCS1 vs. PSS).
> 
> OLD: "RSA is defined in Section 8.2 of [RFC3447]" 
> 
> NEW: "RSA indicates the RSASSA-PKCS1-v1_5 defined in Section 8.2 of
> [RFC3447]"

Sounds good; now fixed in the post-IESG version.

> Given how convoluted the use case is here, an example would be very
> helpful.  At the very least to demonstrate the syntax of the
> WWW-Authenticate header.

This doesn't seem all that needed, regardless of your view of convolution.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email