IETF Logo Mail Archive

Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt

Yutaka OIWA <y.oiwa@aist.go.jp> Mon, 20 July 2015 12:44 UTC

Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 124A61A8738 for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 05:44:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Level:
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mxecap0-myEy for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 05:44:20 -0700 (PDT)
Received: from APC01-HK2-obe.outbound.protection.outlook.com (mail-hk2apc01on0047.outbound.protection.outlook.com [104.47.124.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EDBE1A8740 for <http-auth@ietf.org>; Mon, 20 Jul 2015 05:44:19 -0700 (PDT)
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;
Received: from [IPv6:2001:df8:f00:364:928:65f:455b:3c7c] (2001:df8:f00:364:928:65f:455b:3c7c) by OS2PR01MB0202.jpnprd01.prod.outlook.com (10.161.78.140) with Microsoft SMTP Server (TLS) id 15.1.213.14; Mon, 20 Jul 2015 12:44:16 +0000
Message-ID: <55ACED0B.1070904@aist.go.jp>
Date: Mon, 20 Jul 2015 21:43:55 +0900
From: Yutaka OIWA <y.oiwa@aist.go.jp>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
References: <20150531154835.3639.52041.idtracker@ietfa.amsl.com> <CAGL6epJ=dQw9FZS7aUX3B6oLJUw-s9+ARMbrjjZ0K+283inCkg@mail.gmail.com> <55ACB70B.1070603@aist.go.jp> <CAGL6epKgcp-KxhUFkMv41-pnF3Gqhm5Oxy7LQQW-Jc5XnKSM3A@mail.gmail.com>
In-Reply-To: <CAGL6epKgcp-KxhUFkMv41-pnF3Gqhm5Oxy7LQQW-Jc5XnKSM3A@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [2001:df8:f00:364:928:65f:455b:3c7c]
X-ClientProxiedBy: AM3PR06CA050.eurprd06.prod.outlook.com (10.141.192.168) To OS2PR01MB0202.jpnprd01.prod.outlook.com (25.161.78.140)
X-Microsoft-Exchange-Diagnostics: 1; OS2PR01MB0202; 2:pHqUM6lqD1O6zJpI7kFPERt4vuQZPX+LuzmnxC6NhyvmUmLXT4Rx2noscg6IEVey; 3:0FIgUx0p1tlh4dlF0atPAAGof2M7zHSNXICpQLuxn6PpxsD5wyY17Wd8pvWEOg+omnnG+b+xWJb3dbrCAxdt6LrrkJNYFI4u6vOR5dInk9pJ8MaXJVRR79v+y7GjCtychSCcJjHHp409ns1ENkju/g==; 25:0o6Ig4tzfzpsjlRFpXzUZOF6OlV+2D1rzMl0l/JF1epi5O7Xqr4f9AQUgdk1xm5IIMorGU0viLYIlr1uysMtwbbItKp156UrblQoOazJsWLkwmVIhOTYOovaPNP2pd7vVYZrzjZZ46ZUM4lB45HmhbUAM2LkbPAIZ5HtrpOoGmFskXTEiCwqJxOeqLZWAJw29VAH5zpLd+bkDHrewHL/6mYHqy5LiMP8GPuSBxnPlyQkJ3pUMVwMmBc/uGnsaJeFp9x7WEL3+0Dk5Act2R1q3g==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:OS2PR01MB0202;
X-Microsoft-Exchange-Diagnostics: 1; OS2PR01MB0202; 20:Q9+dXOQAp1gzLI3Xp14w4VOisVbEnmQwwzX3+aOAZYSIG4TNZD0LnyEmmjbPlwlnCtVLizbm7GUy1jINWt+BLW5rNO5aoKvNn6OiUTtFupgzY654VTa9hFlbx1e6bNn9vQpdby++TKW6qvi3Q+1FWIHgGYzv6w+WIgvdZz3mZIW3DhKj12Yra1DEvs2RldtjClClezEeozwGqhls47UHRPK9XsWaIveszrNLQDhPFWfxK1/sgnp2RlTcJQ3nj5HLDpflPJmlrUr5s4PNXNUd4ypabrJApv4x/RE/sJUAPJpnZUOswURgHxANTniOn1hiqEB5+vwIHlAo9QARKY3tB3h/5bPy/Ym2udzsgnDpxb+dmf2lCuU3DfYh2F68xFpSBNL04UmBi5LMJo3LyQ/lXHPp+KnYdsmgH/5nZtbwqTumh9658IBqO8waHeLcpVJuXTTg6yeI7aSf8x3NV32BYuk1AbbF6b3bMYUyWMnDoycMPJwZDHvTIBZZOKWY7/s6woz4sae3ldHbdMgCr0ZFWBTYb321HN7Z7k8Ix3KSCIrQHqq/tyH1X6bNtWjHIvfl7nVhN9HOdbrXKuCiBKIeNPa0WVXs+XPQennEUU/yCYI=; 4:/oebKX73OyMbVpfClwa5cYzcdS4c8xsqkdnWELFE3wcioJN1sCJn1h7lb3CsU46Re6Og8hWaLhe9p1I1Zv3oIaeJ8HY40851UCrQC7DYc3msVs/cI58CpWbXv0MwTXIw+ZlY8JsQtQOBMybWavNM8yrx+Eu+C5KkTXSgNcH9MopkmNzN40DD0Tesa1ilcQH2xwkWtLaLWrxwFQTaQEAY9COQlToz368yh9o0HQ6dlS/ZXcxUw+sH5N5XhyOWj1mpUOcjXQzc9vqzNDM9yBgPaQ==
OS2PR01MB0202: X-MS-Exchange-Organization-RulesExecuted
X-Microsoft-Antispam-PRVS: <OS2PR01MB02023D840B9CCBF930181476A0850@OS2PR01MB0202.jpnprd01.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(5005006)(3002001); SRVR:OS2PR01MB0202; BCL:0; PCL:0; RULEID:; SRVR:OS2PR01MB0202;
X-Forefront-PRVS: 0643BDA83C
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(377454003)(2473001)(24454002)(479174004)(377424004)(65956001)(83506001)(33656002)(110136002)(5001960100002)(42186005)(4001350100001)(189998001)(87976001)(36756003)(77156002)(62966003)(80316001)(50986999)(92566002)(65806001)(47776003)(76176999)(59896002)(87266999)(122386002)(86362001)(74482002)(2950100001)(551544002)(50466002)(54356999)(19580405001)(93886004)(19580395003)(40100003)(77096005)(15975445007)(23676002)(230783001)(46102003)(3826002); DIR:OUT; SFP:1101; SCL:1; SRVR:OS2PR01MB0202; H:[IPv6:2001:df8:f00:364:928:65f:455b:3c7c]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1;OS2PR01MB0202;23:/A4HNYdjdlduG0Wa6WHR8Kw5q8ARQbjLqrLlFbslBqFEyf+UF4R/GeToqDMOrEQaz6uaVgs8pxsSmt1y/pqJKt69bcztgOMjmj9mZ0LhRlKU0wOCra/cTdW4Fdmlciw3eYrmUHTrLn+29Tud4axKMjLneU1V7UrrfMAdpactKxu5cPRCPwuh0nZbL9y2AgPNAtoptiRcUZWc420QfEyZYwBhTZVrbxKSS0w95WLtd+P4v0V095KaS497g6Onu5Tv2S0N/GjqQ4PNHcuXrLpdQgWsB7fWu5Ez/Q84NrRzKOfIi5VAK7NTg2AWF5sxz9kNvJ6+i7kX73LTmkocFSC1iZTmM7xczKBz2Qm7E9vl78Ko7uHNuNpPp4xTqQjlEKXeHuxdWNQ05Gh5d9qLKPXJ2S1qiyZZW0YAC3zXRzxb2yE8Mm/5J/qHdKZ5XZy2bBjCiEuYnJVxntBgAQFgWWrXYmCM/A4kexp6UG+hFjtceioWL+tyO/tyq1wDHu/hKAdpdAdImk3Lv34jwu6aREYmKqmRUJ5qrQxuTacU6PI2O1D7UpXjCV3dqM+KW4sWkyh7yqB5ySGgw9KkNZS3nT7JYXJTL9eNp0MabaqGvgBB5KMVdtQ7XArvrZ4Cu22PLJwoaJ1Dlyba7j7P5KLWW8ClEBGr2asspyBzKqIAO/+DtmkQCuWcCv6HN6zbcezyf3EWH0LAGAXYGfGm2+NYxDGRWuTsh1YnY2jc/6iM/1wBUs42YJfA1nZKwPQv5VtE6eCkm/URyWV52Ixm2spwQ1w0Dc9/QhjnVJMpXn7CmnzvaZk0kwQ7gUkehOGn338pPIvbOvOWixoJ5k936fHmQrpX3TV1HLxSF9AkL5w1MTibaZ0VtHtTwkP6Rz8cPVI73MofQ51OUxmKXM2mOxB+LZ1vTo+6WYoIGhdJuaEDypoPf8Jo/4csgqM3AjyWG4QQHtnNIylzY1PNvyaYOOy/7AH+crJXp6KmfzR8gJqgnWlHK9jj4nTQCI4/F6O6eWFgnIuLh0gWjp68kXc/kphe+aTYAAG2mgr+u0ZYT04zsRox6DrigC0OEm2Eo6CtlNYbVQm7g8KBZVh+cLW9QhzCb1nWW0xOHJH0uK6kGz3r8NCWNI8=
X-Microsoft-Exchange-Diagnostics: 1; OS2PR01MB0202; 5:80EQMNuMmSVf4Mmn5CktfAzBOndrNBzA5/sN28XCYW86UoIi0YEjifNR4uN1mBtlOkACOGIiGift44zMGhteCNksHxQvSzoz1eMYPR8GSlqweICXwYrwRh8gIdSmj/R/Of1i+VqHsU4fHWNVtcsNnA==; 24:9ZKFqGcUDofXRNt2h5MV0dNTBuFvSy9PfuuMpZoXHv8PLcepp/R+Lj44QP0unjhulFA7a87C1hkGwunf5QQzSJ59dingYsROkzwEnfKsiTE=; 20:qDbzQv+O5b1oJqFyCCznt4tcGc0PdCjfYC/XpbTk4D64IPG0n6ylQGOqVMPNnrr5m3t8s/xNnbXlccldOM4czA==
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: aist.go.jp
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jul 2015 12:44:16.3701 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: OS2PR01MB0202
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/_rPubbf6JH6_xUwA9z_gph4DmJo>
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 12:44:22 -0000

Dear Rifaat,

On 2015/07/20 21:09, Rifaat Shekh-Yusef wrote:
> Hi Yutaka,
> 
> Thanks for your comments.
> Please, see my reply inline...
> 
> Regards,
>  Rifaat
> 
> 
> On Mon, Jul 20, 2015 at 10:53 AM, Yutaka OIWA <y.oiwa@aist.go.jp> wrote:
> 
>> Dear HTTPAUTH WG,
>>
>> the following is my technical comments for the submitted draft.
>>
>> 1. The authentication exchange of the HTTP should be carefully
>> reconsidered.
>>    It will usually start with unauthenticated request to the server, and
>>    the response can contain "realm", without any specific discovery
>> mechanisms.
>>
>>
> That is the intention; if that was not clear then we will try to clarify it.
> Is the confusing part the fact that we called it "discovery"?

I just could not understand why there is a request with
empty "Authorization: SRP".  That can simply be omitted.


>> 2. The final response for the successful authentication should use
>>    Authentication-Info header instead of WWW-Authenticate, whose
>>    spec is under clarification by Julian.
>>
> 
> Yes, and that is already specified in section 6.
> We will fix the flow diagram in section 2; it was a copy&paste error.
I understand it.

>>    It's also better that the normal response codes (200 or 401) is
>>    shown in the exchange examples for easier understanding.
>>
>>
> Agree.
> 
> 
> 
> 
>> 3. Please clarify explicitly how the six-message exchange can be shorten
>>    on what cases.
>>    Especially, avoiding re-computation of "public keys" is critical for
>>    any effective use of public-key-based cryptography (including any
>>    known PAKE algorithms) on stateless HTTP.
>>    It will require introduction of something similar to (next-)nonce
>>    in Digest or "sid" in Mutual and SCRAM, along with replay-preventing
>>    mechanisms.  It should be clarified how replay attacks can be prevented
>>    when public keys are reused.
>>
>>
> Is this related to subsequent requests in the context of the same session?

The term "session" is not defined in HTTP, but I think probably true.
Related to the subsequent to-be-authenticated requests for the same realm.

>> 4. There are distinct kinds of responses with different semantics but
>>    sharing the same "WWW-Authentication: SRP" header, and so kinds of
>>    requests sharing "Authorization: SRP".
>>    It should be clarified how each peer will distinguish those kinds of
>>    messages (e.g. existence or non-existence of client-pop field).
>>    It will be important for handling (or rejection)
>>    of malformed messages without any ambiguity (or possible cheating with
>> it).
>>
>>
> For this, we expect the client to send the server-public-key it received
> from the server to allow the server the ability to distinguish between the
> various requests.

I guessed so. What happens if the server receives server-public-key and
username but no client-pop, for example?
Also, I found one mistake: Authentication-Info does not contain any scheme;
it is implied by the scheme in the Authorization header received from the client.


> Regards,
>  Rifaat
> 
> 
>>
>> On 2015/06/01 0:53, Rifaat Shekh-Yusef wrote:
>>> Hi,
>>>
>>> Yaron and I have just submitted a draft that defines a new authentication
>>> scheme based on the SRP protocol, to be used with the HTTP Authentication
>>> Framework.
>>> We would appreciate any thoughts, reviews, and feedback on this document.
>>>
>>> Regards,
>>>  Rifaat
>>>
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: <internet-drafts@ietf.org>
>>> Date: Sun, May 31, 2015 at 11:48 AM
>>> Subject: New Version Notification for
>> draft-yusef-httpauth-srp-scheme-00.txt
>>> To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Yaron Sheffer <
>>> yaronf.ietf@gmail.com>
>>>
>>>
>>>
>>> A new version of I-D, draft-yusef-httpauth-srp-scheme-00.txt
>>> has been successfully submitted by Rifaat Shekh-Yusef and posted to the
>>> IETF repository.
>>>
>>> Name:           draft-yusef-httpauth-srp-scheme
>>> Revision:       00
>>> Title:          HTTP Secure Remote Password (SRP) Authentication Scheme
>>> Document date:  2015-05-31
>>> Group:          Individual Submission
>>> Pages:          11
>>> URL:
>>>
>> https://www.ietf.org/internet-drafts/draft-yusef-httpauth-srp-scheme-00.txt
>>> Status:
>>> https://datatracker.ietf.org/doc/draft-yusef-httpauth-srp-scheme/
>>> Htmlized:
>>> https://tools.ietf.org/html/draft-yusef-httpauth-srp-scheme-00
>>>
>>>
>>> Abstract:
>>>    This document defines an HTTP Authentication Scheme that is based on
>>>    the Secure Remote Password (SRP) protocol.  The SRP protocol is an
>>>    Augmented Password Authenticated Key Exchange (PAKE) protocol
>>>    suitable for authenticating users and exchanging keys over an
>>>    untrusted network.
>>>
>>>
>>>
>>>
>>> Please note that it may take a couple of minutes from the time of
>> submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>>
>>> The IETF Secretariat
>>>
>>>
>>>
>>> _______________________________________________
>>> http-auth mailing list
>>> http-auth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/http-auth
>>>
>>
>> --
>> Yutaka OIWA, Ph.D.               Planning Officer, Research Planning Office
>>                      Department of Information Technology and Human Factors
>>     National Institute of Advanced Industrial Science and Technology (AIST)
>>                       Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp
>>>
>> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405
>> 46B5]
>>
> 

-- 
Yutaka OIWA, Ph.D.               Planning Officer, Research Planning Office
                     Department of Information Technology and Human Factors
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

v2.23.0 | Report a Bug | By Email