Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt
Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Mon, 20 July 2015 11:53 UTC
Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 033F11A21B9 for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 04:53:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_ABOUTYOU=0.5, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NqVpO3VZ-avG for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 04:53:38 -0700 (PDT)
Received: from mail-vn0-x22a.google.com (mail-vn0-x22a.google.com [IPv6:2607:f8b0:400c:c0f::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 569761A1B89 for <http-auth@ietf.org>; Mon, 20 Jul 2015 04:53:38 -0700 (PDT)
Received: by vnaa140 with SMTP id a140so21881218vna.2 for <http-auth@ietf.org>; Mon, 20 Jul 2015 04:53:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=xDQZA7mHtxx65LE6MNwuj7M9+yA+WGPgHPLPcYWUGR0=; b=kDvJ40jCtW/un+2pwIynOTq8l3++MK2hfm4ukGlmJssBNa7LjHdIlxaQS1u0vXbvQA IaAIkpdq57NeXknvnnxIkoaZ07OaMuzU/9M6B7K5iLPlwZ+BwZ/KQqDaAqRVw+i5cAtv PUkY529QG8wf3P/bTCFAY2IE8RrMlEpakkeKA4aH4UWnZKUQZxvhVH31En7MR1Veyy/k V45+qDWlu9nuBqwBFA3lHSMdzLYMW4rHolMkSVtQ1Y97acJyRBKY6snUBqa8hVx6O1Nw WdoBI/8Sx6Ak+FeEpu12nnX6FFjvJ0OrD9ertqbOJAhYNZz0MZEzEshffVDinCPVihT2 Azxg==
MIME-Version: 1.0
X-Received: by 10.52.90.4 with SMTP id bs4mr36683453vdb.59.1437393217543; Mon, 20 Jul 2015 04:53:37 -0700 (PDT)
Received: by 10.31.53.72 with HTTP; Mon, 20 Jul 2015 04:53:37 -0700 (PDT)
In-Reply-To: <55ACB208.6000208@aist.go.jp>
References: <20150531154835.3639.52041.idtracker@ietfa.amsl.com> <CAGL6epJ=dQw9FZS7aUX3B6oLJUw-s9+ARMbrjjZ0K+283inCkg@mail.gmail.com> <55ACB208.6000208@aist.go.jp>
Date: Mon, 20 Jul 2015 13:53:37 +0200
Message-ID: <CAGL6ep+Nt1KmBGyXH409Oo2T-vLmNSF1GxXzhx=mMyjKQnSV_w@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
To: Yutaka OIWA <y.oiwa@aist.go.jp>
Content-Type: multipart/alternative; boundary="001a1136ac122263ad051b4d30f2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/YTUGeKEWHt6K39OtdMSxaIjK0eU>
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 11:53:41 -0000
Hi Yutaka, Please, see my reply inline... Regards, Rifaat On Mon, Jul 20, 2015 at 10:32 AM, Yutaka OIWA <y.oiwa@aist.go.jp> wrote: > Dear Rifaat, > > I'm happy on seeing some interest on using strong PAKE-based > cryptography on HTTP authentication, but I also have several > questions/concerns about your current proposal. > I'll first express my general questions and suggestions, > followed by my technical reviews and suggestions in a separate email. > > > Could you tell us why do you think this proposal is needed? > Is there any specific request for this technology in this form, or > is it just a general motivation for PAKE to be used in HTTP? > > It is a general motivation to use PAKE-based solution not only for HTTP, but also for other protocols, e.g. SIP. > I have been designing Mutual auth as a general framework for > augmented PAKE-based HTTP authentication, and implemented > several mechanisms to let it working effectively. > Unfortunately, I am personally not that familiar with your work. In general, we would like to utilize the *existing *HTTP Framework and add support for SRP on top of that. SRP is a protocol that is already used by other RFCs and it has many implementations out there, and is royalty free. > For example, the session key caching and replay-preventing > nonce-counter is a key mechanism to avoid heavy public-key > cryptographic operations in every request-response pair. > > I am assuming that this is related to the subsequent requests utilizing the session keys. We left this out of this document because we think it is out of scope. Regards, Rifaat > If you have no specific reasons for implementing SRP in that specific form, > I recommend to try writing it as an additional authentication algorithm > for the Mutual scheme. It will avoid re-inventing many required wheels > for effective use of heavy PAKE mechanisms which your draft currently > lacks. > > # After finishing (significant portion of) my own work for Mutual auth, > # I could possibly be able to volunteer writing SRP-based auth algorithm > # for Mutual scheme, to find out whether it will work successfully or not. > > Also, I have to mention that we've submitted our drafts first > to httpbis WG in 2012 as a chairs' requirement for including > it as chartered discussion candidates. That's how the current > HTTPAUTH WG was formed with current candidates. > I'm little bit surprised to see this proposal on this time period. > If we've seen it long before, I could be working more on considering > your specific requirements merged into Mutual proposal. > # I also have asked several times for comments on the choice of > # PAKE variants for basic Mutual uses, without any strong > # suggestions for changing it from the current form. > > > Regards, > > Yutaka > > On 2015/06/01 0:53, Rifaat Shekh-Yusef wrote: > > Hi, > > > > Yaron and I have just submitted a draft that defines a new authentication > > scheme based on the SRP protocol, to be used with the HTTP Authentication > > Framework. > > We would appreciate any thoughts, reviews, and feedback on this document. > > > > Regards, > > Rifaat > > > > > > > > > > ---------- Forwarded message ---------- > > From: <internet-drafts@ietf.org> > > Date: Sun, May 31, 2015 at 11:48 AM > > Subject: New Version Notification for > draft-yusef-httpauth-srp-scheme-00.txt > > To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Yaron Sheffer < > > yaronf.ietf@gmail.com> > > > > > > > > A new version of I-D, draft-yusef-httpauth-srp-scheme-00.txt > > has been successfully submitted by Rifaat Shekh-Yusef and posted to the > > IETF repository. > > > > Name: draft-yusef-httpauth-srp-scheme > > Revision: 00 > > Title: HTTP Secure Remote Password (SRP) Authentication Scheme > > Document date: 2015-05-31 > > Group: Individual Submission > > Pages: 11 > > URL: > > > https://www.ietf.org/internet-drafts/draft-yusef-httpauth-srp-scheme-00.txt > > Status: > > https://datatracker.ietf.org/doc/draft-yusef-httpauth-srp-scheme/ > > Htmlized: > > https://tools.ietf.org/html/draft-yusef-httpauth-srp-scheme-00 > > > > > > Abstract: > > This document defines an HTTP Authentication Scheme that is based on > > the Secure Remote Password (SRP) protocol. The SRP protocol is an > > Augmented Password Authenticated Key Exchange (PAKE) protocol > > suitable for authenticating users and exchanging keys over an > > untrusted network. > > > > > > > > > > Please note that it may take a couple of minutes from the time of > submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > The IETF Secretariat > > > > > > > > _______________________________________________ > > http-auth mailing list > > http-auth@ietf.org > > https://www.ietf.org/mailman/listinfo/http-auth > > > > -- > Yutaka OIWA, Ph.D. Cyber Physical Architecture Research Group > Information Technology Research Institute > National Institute of Advanced Industrial Science and Technology (AIST) > Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp > > > OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 > 46B5] >
- [http-auth] Fwd: New Version Notification for dra… Rifaat Shekh-Yusef
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA
- Re: [http-auth] Fwd: New Version Notification for… Rifaat Shekh-Yusef
- Re: [http-auth] Fwd: New Version Notification for… Rifaat Shekh-Yusef
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA