Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 06 January 2015 09:47 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 751191A912B; Tue, 6 Jan 2015 01:47:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4KIxtguHOHZF; Tue, 6 Jan 2015 01:47:33 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 110BD1A1BC3; Tue, 6 Jan 2015 01:47:33 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id AA4E1BECA; Tue, 6 Jan 2015 09:47:31 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2jrMhDeKDHG2; Tue, 6 Jan 2015 09:47:29 +0000 (GMT)
Received: from [10.87.48.73] (unknown [86.42.19.48]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 386C3BE8F; Tue, 6 Jan 2015 09:47:29 +0000 (GMT)
Message-ID: <54ABAF30.8040207@cs.tcd.ie>
Date: Tue, 06 Jan 2015 09:47:28 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Barry Leiba <barryleiba@computer.org>
References: <20150105174855.11968.51931.idtracker@ietfa.amsl.com> <54AAE9C7.8010105@cs.tcd.ie> <CALaySJ+j2u3_amk-BSjDgRvoGKFjsqn8k1Lm8pN0dW5dCXck3g@mail.gmail.com> <9C2AA051DD3C464F8ADEE38AEE6C26AD18C9E7BA@dfweml704-chm> <54AB4FFF.4040402@cs.tcd.ie> <CALaySJ+QY12hbrn0SkzwCakcBR3mqSD7XkHAQEspogafVq1_-g@mail.gmail.com>
In-Reply-To: <CALaySJ+QY12hbrn0SkzwCakcBR3mqSD7XkHAQEspogafVq1_-g@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/ZX-RF90Ehr94dsWOEQ-oObZmjoQ
Cc: Barry Leiba <barry.leiba@huawei.com>, "httpauth-chairs@tools.ietf.org" <httpauth-chairs@tools.ietf.org>, "draft-ietf-httpauth-hoba.all@tools.ietf.org" <draft-ietf-httpauth-hoba.all@tools.ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jan 2015 09:47:35 -0000
Hope this works ok - I've pasted in the comment text and my responses to cut down the nesting. A proto -10 version with changes indicated below is at [1] the diff vs. -09 at [2]. [1] https://down.dsg.cs.tcd.ie/misc/draft-ietf-httpauth-hoba-10.txt [2] https://tools.ietf.org/rfcdiff?url1=draft-ietf-httpauth-hoba-09.txt&url2=https://down.dsg.cs.tcd.ie/misc/draft-ietf-httpauth-hoba-10.txt > This document would benefit from some section somewhere giving a > set of clear, numbered steps, saying who sends, who receives, and > who does what with what input at each step. I will propose such > text. And I'll happily look at that when it's available. (And hope to not have to wait much:-) > Minor editorial nit: you use "a HOBA" fairly consistently, but "an > HOBA" appears twice. Oughta fix. Fixed. > The abstract appears to overstate the password issue. It'd be > better for the abstract to say that it eliminates the transmission > of passwords and their storage on the server, which are really the > points. TBH, I prefer the current text a lot. > The introduction might expand on that a little, noting > that passwords might still be used in the user interfaces, but they > would be exclusively client-side things, never transmitted and > never seen by servers. I'd be against adding such. IMO an implementation like that is not a great idea as it's phishable (the user won't know that the password is local only and will re-use the same password in more than one place). That's a very strong (IMO) reason to argue that private key protection is an OS/platform issue and ought not be a HOBA implementation issue. And private key protection done without passwords is much more usable and less phishable. > > -- Section 2 -- > > The definition of "alg" says "the encoding of RSA-SHA256 is 0x30," > but the ABNF above says "alg = 1*2DIGIT", which implies "30", not > "0x30". As I look at Section 9.3, I think I see the problem and > my confusion. I don't think you want "a single octet" here > (otherwise, how would you encode 12 or 99? Don't you really want > something like this?: > > OLD > o alg: specifies the signature algorithm being used encoded as a > single octet as defined in Section 9.3. RSA-SHA256 MUST be > supported, RSA-SHA1 MAY be supported. The IANA registered > algorithm values are encoded as ASCII numbers; for example, the > encoding of RSA-SHA256 is 0x30. > NEW > o alg: specifies the signature algorithm being used. RSA-SHA256 > MUST be supported, RSA-SHA1 MAY be supported. The IANA > registered algorithm values (see Section 9.3) are encoded as one- > or two-digit ASCII numbers. For example, RSA-SHA256 (number > 0) is encoded as the ASCII character "0" (0x30), while a future > algorithm registered as number 17 would be encoded as the > ASCII characters "17" (0x3137). > END Fixed. > > -- Section 3 -- > > The "realm" attribute MUST NOT appear more than once. > > Does that mean that "challenge" and max-age can appear more than > once? No. > If not, why call it out for "realm" and not for the others? I forget and haven't found a why. I think that was in response to some other comment. Would prefer leave it just in case. > It might be good if the description of "max-age" made it clear that > it's for the purpose of allowing multiple uses (multiple sigs). As > it is, it looks like it's there to limit the delay before the > challenge is answered (once). Maybe just a forward ref to Section > 8 is good enough here. I looked at it again and still think it's ok as-is. There is more discussion of max-age a couple of paras below this bullet list. > > -- Section 4 -- > > The second paragraph starts by saying that localStorage is > required, and gives a reference. It ends by saying that > localStorage is not required, because IndexedDB works too, and it > gives a reference. That's not a disaster, but it's sloppy, and > it'd be better to say it all up front. It also makes me wonder > whether the security considerations about attacks on localStorage > do or don't also apply to IndexedDB. Shuffled that about a bit. Better now. > Another very minor point: I would avoid using "a hassle for users" > in an international document that non-native speakers are expected > to understand. "Difficult for users" seems just as good and more > understandable to all. Fixed. > Does the server really use session cookies to navigate around a > site? Or does the server give the client a session cookie for the > client to use to navigate? Fixed. > > -- Section 6.2 -- > > It seems odd to put the NOT RECOMMENDED mechanism in the middle; I > suggest switching sections 6.2.2 and 6.2.3. Noted. Not done:-) > -- Section 8 -- > > The first paragraph doesn't say enough to make sense to me. > Perhaps a few more words about why? I swapped the 1st and 2nd paras. The 1st was a bit abrupt yes but I think it fits better now. > > -- Section 8.3 -- > > The chances that a typical user (consider my mother) will know or > care about this, much less will "request" anything is vanishingly > small. Can you say anything here about what can be done that would > have any practical utility? I think we covered this sufficiently. I do not want to get into recommending ways HOBA implementers can do what really ought be an OS/platform function. In the end I added that specific point and did tweak a bit though. > > -- Section 9.3 -- > > Please create a new HOBA signature algorithms registry as follows, > with the specification required rule for updates. New HOBA signature > algorithms SHOULD be in use with other IETF standards track protocols > before being added to this registry. > > I don't think the SHOULD is really right -- who is the target? > This needs to be cast as instructions to the designated expert, > perhaps as, "The designated expert will review other uses of > requested new HOBA signature algorithms, with particular > consideration to their use in other IETF standards track > protocols." Perhaps there's also another word or two to say about > what the DE should consider? I really think the SHOULD here is good enough and is what we want and no more guidance for a qualified DE is needed and I think we agreed that that's ok. > > -- Sections 9.4 and 9.5 -- > > Might there be any advice for the designated expert, anything at > all? No, I think it's fine - there is no equivalent to the sig alg thing in 9.3 needed. Cheers, S.
- [http-auth] Barry Leiba's Discuss on draft-ietf-h… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Julian Reschke
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Kathleen Moriarty
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Michael Thomas
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Michael Thomas
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Martin J. Dürst
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Kathleen Moriarty