Re: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-basicauth-update-06: (with DISCUSS and COMMENT)
"Roy T. Fielding" <fielding@gbiv.com> Thu, 19 February 2015 01:08 UTC
Return-Path: <fielding@gbiv.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98EAA1A1BC8; Wed, 18 Feb 2015 17:08:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d3TZe2HEjrhe; Wed, 18 Feb 2015 17:08:51 -0800 (PST)
Received: from homiemail-a29.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 8067E1A1BBC; Wed, 18 Feb 2015 17:08:51 -0800 (PST)
Received: from homiemail-a29.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTP id 40AC267406A; Wed, 18 Feb 2015 17:08:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gbiv.com; h=subject :mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=gbiv.com; bh=cTA8zWLxAPKqYS+/KrDWa9xhH0U=; b=ZWQP3uZfVQeBMGeYSjk8BgOtrcNG PjKgaanlYn/SRXGcllUJC0m+yGDVJULtj+fPAlZJIJc29KSzstI3Tn22Tn/ilpdi vqRlBcboPj4de1B4B2iw2XWWUDn3YNzg4FcX5cPTQZPybS5Oih/xhypbWhQOPM2s iD7oFi+n5ngPa7M=
Received: from [192.168.1.12] (ip68-228-83-124.oc.oc.cox.net [68.228.83.124]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: fielding@gbiv.com) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTPSA id 08FAE674059; Wed, 18 Feb 2015 17:08:50 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset="us-ascii"
From: "Roy T. Fielding" <fielding@gbiv.com>
In-Reply-To: <20150218194656.23776.44631.idtracker@ietfa.amsl.com>
Date: Wed, 18 Feb 2015 17:08:50 -0800
Content-Transfer-Encoding: 7bit
Message-Id: <925022E5-F72D-4973-B262-934E367B76F9@gbiv.com>
References: <20150218194656.23776.44631.idtracker@ietfa.amsl.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.1283)
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/Yo06gzW0R7HP5j0_-TCHK3h1xuQ>
Cc: http-auth@ietf.org, draft-ietf-httpauth-basicauth-update.all@ietf.org, The IESG <iesg@ietf.org>, httpauth@ietf.org, httpauth-chairs@ietf.org
Subject: Re: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-basicauth-update-06: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 01:08:53 -0000
On Feb 18, 2015, at 11:46 AM, Richard Barnes wrote: > Richard Barnes has entered the following ballot position for > draft-ietf-httpauth-basicauth-update-06: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-httpauth-basicauth-update/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Section 2.2 seems like a significant departure from RFC 2617, which says > nothing about the scope of authentication. Please see "http://tools.ietf.org/html/rfc2616#section-14.8" > (1) Did the WG discuss the compatibility impact of this change? Although > clients might send the Authorization header preemptively, they should > still be prepared to get a 401 response back. > > (2) Did the WG discuss the possibilities for leakage of credentials due > to this change? It's not hard to imagine scenarios where, say, > "http://example.com/~user1" and "http://example.com/~user2" are > controlled by different entities, and leakage between them would be > harmful. > > (3) At the very least, there needs to be (a) a mention of this change in > Appendix A, and (b) a discussion of leakage through unsolicited > Authorization headers in the Security Considerations. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > The current text on the use of TLS is an OK start, but I would prefer if > it were refactored so that the recommendation against Basic were general > to HTTP and HTTPS. > > "Because Basic authentication involves the cleartext transmission of > passwords it SHOULD NOT be used except over a secure channel such as > HTTPS [RFC2818]. Likewise, due to the risk of compromise, Basic > authentication SHOULD NOT be used to protect sensitive or valuable > information." The secure channel would be "such as authenticated TLS", not HTTPS; it doesn't matter what scheme is used. Also, the last sentence is inappropriate and pointless. Historically (and currently), Basic authentication has been necessary for environments where the end authentication mechanism is controlled by a downstream server that uses legacy accounts and passwords. Hence, the Web server (acting as a gateway to that service) needs the actual credentials as plain text in order for the user to be authenticated. However unfortunate that may be in practice, it is an administrative decision and not a protocol one, and the risk of compromise is not much greater than any other mechanism that involves a user typing a secret key into a piece of software that they don't completely control (like a browser dialog). Encouraging admins to use better authentication mechanisms when possible is fine, but that doesn't translate into a general SHOULD NOT use this one. ....Roy
- [http-auth] Richard Barnes' Discuss on draft-ietf… Richard Barnes
- [http-auth] Richard Barnes' Discuss on draft-ietf… Richard Barnes
- Re: [http-auth] Richard Barnes' Discuss on draft-… Julian Reschke
- Re: [http-auth] Richard Barnes' Discuss on draft-… Richard Barnes
- Re: [http-auth] Richard Barnes' Discuss on draft-… Roy T. Fielding
- Re: [http-auth] Richard Barnes' Discuss on draft-… Yoav Nir