Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt
Yutaka OIWA <y.oiwa@aist.go.jp> Mon, 20 July 2015 12:22 UTC
Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EA931A702F for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 05:22:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Level:
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_ABOUTYOU=0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2I2lehZH1Rro for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 05:22:35 -0700 (PDT)
Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-sg2apc01on0040.outbound.protection.outlook.com [104.47.125.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C9C21A700D for <http-auth@ietf.org>; Mon, 20 Jul 2015 05:22:34 -0700 (PDT)
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;
Received: from [IPv6:2001:df8:f00:364:928:65f:455b:3c7c] (2001:df8:f00:364:928:65f:455b:3c7c) by KAWPR01MB0194.jpnprd01.prod.outlook.com (10.161.27.16) with Microsoft SMTP Server (TLS) id 15.1.213.14; Mon, 20 Jul 2015 12:22:24 +0000
Message-ID: <55ACE7F4.4060006@aist.go.jp>
Date: Mon, 20 Jul 2015 21:22:12 +0900
From: Yutaka OIWA <y.oiwa@aist.go.jp>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
References: <20150531154835.3639.52041.idtracker@ietfa.amsl.com> <CAGL6epJ=dQw9FZS7aUX3B6oLJUw-s9+ARMbrjjZ0K+283inCkg@mail.gmail.com> <55ACB208.6000208@aist.go.jp> <CAGL6ep+Nt1KmBGyXH409Oo2T-vLmNSF1GxXzhx=mMyjKQnSV_w@mail.gmail.com>
In-Reply-To: <CAGL6ep+Nt1KmBGyXH409Oo2T-vLmNSF1GxXzhx=mMyjKQnSV_w@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [2001:df8:f00:364:928:65f:455b:3c7c]
X-ClientProxiedBy: SN1PR07CA0022.namprd07.prod.outlook.com (25.162.170.160) To KAWPR01MB0194.jpnprd01.prod.outlook.com (25.161.27.16)
X-Microsoft-Exchange-Diagnostics: 1; KAWPR01MB0194; 2:/i5vfJAznP1jg0x1egE0V/hjr3zt0K8VtgZ9l4pd8TXKNTD1KLj/HvuGQ/2ROeeh; 3:0JI+1aH9u50jpmQiZlLeW+yJzhzcnS98ka4kCZ5IMH0q0V42Qyl89YiTZZHdRBb5Jxls1NNoYE70z7hPVBwNEWvIimS0RShUQjy38/BrHvW6TV78d7wA8cyOG0xoVJejPfNZOX2Jcj1vQstIJotJCA==; 25:18QPe3DlkkSNPQ68b8SV9d2oo0zg+sb4W3ET5FrQKn7hACoXdqeOvTyghlsc1fqA3L/vD8EYSGJXdesU39XKo+QJ/ew2kZVPP2z6Kw2LxaXaRxqhCaIUr3sU92k+yMM0Wsjaxzfkse6xrBmuH9xQab7xo5T77EXIjfud9uhE8bVs5aoUQuI0aKlRaq9kNeMako+fp07XGqTWkb1Xiky2v9nPExke6+nNVVkgk1b/IXjdrMhQ8TuE5MCYRDg8QHZo
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:KAWPR01MB0194;
X-Microsoft-Exchange-Diagnostics: 1; KAWPR01MB0194; 20:/secZ4MbDkmY4IIIrYGGowaH04MxQIGlNRdJB6kJLWNWUXjnBmVLIjJuFS9FamRAFEWGGOxqi8Esr6vtSX7HFPWMrUxP2nyRZdewovhTkHm3gPd2nwA05MRhgK0zDyAN8mRYEjRBrnJmkcZm9TH+PBi/TpkYYR0Hy4MFIEApfoSUQHNQMEdfl/NHC6eeyHY4dNUf2bVRU3230zZEz4ddN+1fPEWoaRpQFu0k0XPtXh7Vax4/OZUuV5oE3+9NQxWWOM0nJuqdsDBRj6JbLblHE5eHyKy5RMfTZJcaD3tpj9j1tv3IyCuFkHCxtd1NBx8Def2hmuBPh/EZXZroeX0ZzvA8D6T82xyOADDysKzIWXWBjwMQTBsfaTPNz4ngZOjLgGQti31scHZgfl9bHHE9U+9aLEFr/UQQ+uOV7e43b/AD6eeYu/b5Ac+FKRrngWr/a2hLId9xQTDV8a21NXlCGkPJQCT4fip8gnStCIN7QpOLnSyti8fy+lDPEDl1Suy+FtpgsOrQZ20nKCVffa0awvXjniN1rxOGb/4fbSyQwS0RK1wagZxnQZnG+B79G9UmrO2IYzz748vxnGov+opHPN82mElDt1bCKaEYkGBLVJI=; 4:KobrEMGdxossjFXRCW8moi1VuwYCvV+P1VpVKIduvrdZQ/ja2VqMazeLbyEIBzivRdaOVEOv6HTB0U5U94YLtq7YgLog48E6gQ/gDX0nYDRGcCxX91EB0fFyBrYiQf6TYIMEc4XjZX31K6/fPrLpVYZh9zLhOFWxVvwZoSpZkYwNqOiSVLeUpDKohNeNL7QJqOS7vpPjCk7qWzZjD9CeRH7tFPFfTcsB0D9BmtdCd+hbWjeAwttJJQxtU1RhoxnHPZiLnKBJbJDrcM+niG0vMg==
KAWPR01MB0194: X-MS-Exchange-Organization-RulesExecuted
X-Microsoft-Antispam-PRVS: <KAWPR01MB0194E8A2C4D5EDEC17D6D56BA0850@KAWPR01MB0194.jpnprd01.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(5005006)(3002001); SRVR:KAWPR01MB0194; BCL:0; PCL:0; RULEID:; SRVR:KAWPR01MB0194;
X-Forefront-PRVS: 0643BDA83C
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(2473001)(479174004)(24454002)(377424004)(377454003)(50986999)(93886004)(86362001)(19580395003)(5001960100002)(50466002)(189998001)(36756003)(92566002)(59896002)(65806001)(74482002)(551544002)(83506001)(65956001)(42186005)(33656002)(15975445007)(47776003)(62966003)(122386002)(110136002)(87266999)(2950100001)(77096005)(46102003)(4001350100001)(19580405001)(77156002)(87976001)(40100003)(80316001)(230783001)(76176999)(54356999)(561944003)(23676002)(3826002); DIR:OUT; SFP:1101; SCL:1; SRVR:KAWPR01MB0194; H:[IPv6:2001:df8:f00:364:928:65f:455b:3c7c]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1;KAWPR01MB0194;23:HbiIybzzym58qnn8Z5UVPGkff1nFFfb0YAhV5hvrd9dEoxwkcOd5lS2BfJXNoMlOe5u0ziSpOLgEY6bBbLpb2+k3Q4NqRbmiG87SO20d0Xi/s8tzLdQtjaizST/gH8vmIMmO0XQfIKBvgAzVWPYeZh2sk40bnHXDJ2WTpo4rwYcrDpkS4Lvzk6OA7NzTohdzsz9aVmlrEUHecLaF0C+J6DARZGRXkn8ExP1PFD6A6ZTXwTRIgDqD0h7i/3sNKSvF7WXEDHb8x/RLeB6yvOHPRxfLOxtwXzzc3K8PvkG5Q+my8lOC0QClaw+E39+wdGotI3GItvm+KhPlACAlzshTzxfu46et5ODaWu6K+RcxVM7DvpiS1kVLbENljWxDOy+vHoSL79XNJ9s9pIa7Oz5a7y0WV9LUB1/hvYY9OUo+YhpBW+1zoLTkldE7W9P+TLJMBYXvjbMNRwFEFqopj/4J0aKy95zprb7yyvkIEXeMBMeRyONyYUdj9FK0ULybklzqk+YZLFq9kyHazjvxADv3QcqUJ19Uz/W/xA+p1OXite2AumQb2hRytsdCzhiBezjXN27sDOCkrzz9rHaM3luycT5oOAI6Lwdrgo+00kHU9/6ph4tngwPDzWq0KzncVQ1o7OCCePWtd5FVCUI3K5Bcf/zqPGT8+I+nJYwNs+C0Ks80RxEcynPu+uNdsI+DJAC4twGnN0yWJv+pZeE88JA0x+TV6wjR2CmX5nzfhLZGA29dUOnvYNG89U6bZePlw2yucDcQuEHJtvrIndxJaK5yO/wAtIe0mybjnD5a0kYwR+K/ygqEayyOW1ehLjH7+7dorH6EbnDLvf0p0Jl4pZbj4SGYfn6tM8Ur2Tru44ff+2+8rI7EDKayPhxUCMLnNP3ilCisyCg3WXG3Mu94XeDCm6kN3xcRfXxUbskqEeV/Rvf2HDO+vUt8pu1+NkOnNq/9qKDszyzpmB3Hqe4cRgtUyhgtzwRYL2rZ2waXfCHtHqjtD/oC75ySk/1MBIczEX+CExdrADBZs3dLsYJm3YqtF2YaTeomm3DMxS6ogaXgasWn8haH+ukhaTJCPDQJAuoWdz3qwdOtPRbmlCgW0UOqOq/BfoP0kd2gVk47+YGgeBLBrAgBekwBTOvOSWIGGFRH
X-Microsoft-Exchange-Diagnostics: 1; KAWPR01MB0194; 5:46852u43IZu4l8Pz+gmSyS6uFOmT8R5yZ6H9qT34f73CZxeesp+8LYTbnoN9/EEG4FLK8LiXkxXr2exDQVE3372hCcuDSyHR2FTFPwOREI8QKID1NxeaQsbC+KNvmNg+j0tL8DhxEBHBmgcayRwfyQ==; 24:6DL9oGvrSxXuRPUyTUujuHbnuq58BEtDZmV962MuHktbqEjPt1SmmZQwC8sHHQmM1t/WUUzLXrkpPEsxBZrgll1WS/pIMpndBGQd7kS0+ig=; 20:AMyZHUsmg8A0KaLWG9lXlB6xZRKPBNiWnVdI+bMLFp2WLB0w2ilw0+lBG6HGbso48Ak4L3lKQogfpIqFsuRlng==
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: aist.go.jp
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jul 2015 12:22:24.5776 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: KAWPR01MB0194
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/Wd-DX_d2JQ8gPx-oJtPREIBaEOw>
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 12:22:37 -0000
Thanks Rifaat, I'll go inline, too. On 2015/07/20 20:53, Rifaat Shekh-Yusef wrote: > Hi Yutaka, > > Please, see my reply inline... > > Regards, > Rifaat > > > On Mon, Jul 20, 2015 at 10:32 AM, Yutaka OIWA <y.oiwa@aist.go.jp> wrote: > >> Dear Rifaat, >> >> I'm happy on seeing some interest on using strong PAKE-based >> cryptography on HTTP authentication, but I also have several >> questions/concerns about your current proposal. >> I'll first express my general questions and suggestions, >> followed by my technical reviews and suggestions in a separate email. >> >> >> Could you tell us why do you think this proposal is needed? >> Is there any specific request for this technology in this form, or >> is it just a general motivation for PAKE to be used in HTTP? >> >> > It is a general motivation to use PAKE-based solution not only for HTTP, > but also for other protocols, e.g. SIP. Understood. >> I have been designing Mutual auth as a general framework for >> augmented PAKE-based HTTP authentication, and implemented >> several mechanisms to let it working effectively. >> > > Unfortunately, I am personally not that familiar with your work. > > In general, we would like to utilize the *existing *HTTP Framework and add > support for SRP on top of that. > SRP is a protocol that is already used by other RFCs and it has many > implementations out there, and is royalty free. What I'm doing is that I *do* use the existing HTTP Framework, and add generic support for PAKE on top of that (draft-ietf-httpauth-mutual). Then, I put some specific PAKE on top of it (draft-ietf-httpauth-mutual-algo). Please look at my work. >> For example, the session key caching and replay-preventing >> nonce-counter is a key mechanism to avoid heavy public-key >> cryptographic operations in every request-response pair. >> >> > I am assuming that this is related to the subsequent requests utilizing the > session keys. > We left this out of this document because we think it is out of scope. If your word "utilizing" means something outside of HTTP auth, it seems to be a wrong assumption. My assumption is simply that one authentication will generally serve much more than one document sequentially or in parallel. This is true for both Web and API-based non-Web (REST-like) accesses. As you know, the PAKE computation is quite heavy operation and number of it should be minimized as small as possible. A few hundreds of milliseconds for each resource is quite unacceptable. It's completely within the scope of HTTP authentication design, and is in align with the base design concept of HTTP/2.0. I think SIP might be an exception for this assumption, but it's quite a special case for HTTP. And, if you think generic HTTP authentication mechanism can be used for SIP as well, my proposal can go as well, quite easily. > Regards, > Rifaat > > > >> If you have no specific reasons for implementing SRP in that specific form, >> I recommend to try writing it as an additional authentication algorithm >> for the Mutual scheme. It will avoid re-inventing many required wheels >> for effective use of heavy PAKE mechanisms which your draft currently >> lacks. >> >> # After finishing (significant portion of) my own work for Mutual auth, >> # I could possibly be able to volunteer writing SRP-based auth algorithm >> # for Mutual scheme, to find out whether it will work successfully or not. >> >> Also, I have to mention that we've submitted our drafts first >> to httpbis WG in 2012 as a chairs' requirement for including >> it as chartered discussion candidates. That's how the current >> HTTPAUTH WG was formed with current candidates. >> I'm little bit surprised to see this proposal on this time period. >> If we've seen it long before, I could be working more on considering >> your specific requirements merged into Mutual proposal. >> # I also have asked several times for comments on the choice of >> # PAKE variants for basic Mutual uses, without any strong >> # suggestions for changing it from the current form. >> >> >> Regards, >> >> Yutaka >> >> On 2015/06/01 0:53, Rifaat Shekh-Yusef wrote: >>> Hi, >>> >>> Yaron and I have just submitted a draft that defines a new authentication >>> scheme based on the SRP protocol, to be used with the HTTP Authentication >>> Framework. >>> We would appreciate any thoughts, reviews, and feedback on this document. >>> >>> Regards, >>> Rifaat >>> >>> >>> >>> >>> ---------- Forwarded message ---------- >>> From: <internet-drafts@ietf.org> >>> Date: Sun, May 31, 2015 at 11:48 AM >>> Subject: New Version Notification for >> draft-yusef-httpauth-srp-scheme-00.txt >>> To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Yaron Sheffer < >>> yaronf.ietf@gmail.com> >>> >>> >>> >>> A new version of I-D, draft-yusef-httpauth-srp-scheme-00.txt >>> has been successfully submitted by Rifaat Shekh-Yusef and posted to the >>> IETF repository. >>> >>> Name: draft-yusef-httpauth-srp-scheme >>> Revision: 00 >>> Title: HTTP Secure Remote Password (SRP) Authentication Scheme >>> Document date: 2015-05-31 >>> Group: Individual Submission >>> Pages: 11 >>> URL: >>> >> https://www.ietf.org/internet-drafts/draft-yusef-httpauth-srp-scheme-00.txt >>> Status: >>> https://datatracker.ietf.org/doc/draft-yusef-httpauth-srp-scheme/ >>> Htmlized: >>> https://tools.ietf.org/html/draft-yusef-httpauth-srp-scheme-00 >>> >>> >>> Abstract: >>> This document defines an HTTP Authentication Scheme that is based on >>> the Secure Remote Password (SRP) protocol. The SRP protocol is an >>> Augmented Password Authenticated Key Exchange (PAKE) protocol >>> suitable for authenticating users and exchanging keys over an >>> untrusted network. >>> >>> >>> >>> >>> Please note that it may take a couple of minutes from the time of >> submission >>> until the htmlized version and diff are available at tools.ietf.org. >>> >>> The IETF Secretariat >>> >>> >>> >>> _______________________________________________ >>> http-auth mailing list >>> http-auth@ietf.org >>> https://www.ietf.org/mailman/listinfo/http-auth >>> >> >> -- >> Yutaka OIWA, Ph.D. Cyber Physical Architecture Research Group >> Information Technology Research Institute >> National Institute of Advanced Industrial Science and Technology (AIST) >> Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp >>> >> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 >> 46B5] >> > -- Yutaka OIWA, Ph.D. Cyber Physical Architecture Research Group Information Technology Research Institute National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
- [http-auth] Fwd: New Version Notification for dra… Rifaat Shekh-Yusef
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA
- Re: [http-auth] Fwd: New Version Notification for… Rifaat Shekh-Yusef
- Re: [http-auth] Fwd: New Version Notification for… Rifaat Shekh-Yusef
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA