[http-auth] (mutual auth) possible discussions / call for opinions
Yutaka OIWA <y.oiwa@aist.go.jp> Mon, 16 March 2015 13:21 UTC
Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6F251A8739 for <http-auth@ietfa.amsl.com>; Mon, 16 Mar 2015 06:21:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.679
X-Spam-Level:
X-Spam-Status: No, score=-3.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mqVDiJ1fYhzA for <http-auth@ietfa.amsl.com>; Mon, 16 Mar 2015 06:21:15 -0700 (PDT)
Received: from na3sys010aog101.obsmtp.com (na3sys010aog101.obsmtp.com [74.125.245.70]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F28A1A873E for <http-auth@ietf.org>; Mon, 16 Mar 2015 06:21:14 -0700 (PDT)
Received: from mail-lb0-f177.google.com ([209.85.217.177]) (using TLSv1) by na3sys010aob101.postini.com ([74.125.244.12]) with SMTP ID DSNKVQbYyUzYN7JTKYjaM9SR0d0zBW+EVOHF@postini.com; Mon, 16 Mar 2015 06:21:14 PDT
Received: by lbcds1 with SMTP id ds1so30521277lbc.3 for <http-auth@ietf.org>; Mon, 16 Mar 2015 06:21:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:from:date:message-id:subject:to:content-type; bh=7zc12G5UOGB9rkVzSs+hTahPBSptcG80qYUIhgP/2cI=; b=bbz/h4jWe4gvEyrCEyV9dbNHnJu7Cs0LZpoCODVC+vffk0RNKCYwqaHDb2XVF9V0M3 u1KhnlG5uN66FBKh1Px29BSEIOjiCKMKeZvbgSyllocarqsy5pelMFLesQ5Pl0gsLilE l4tfjhlBG48NzsqpcpzkW2e+F01tX95N6XJs0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=7zc12G5UOGB9rkVzSs+hTahPBSptcG80qYUIhgP/2cI=; b=C6dfD24X6kblPY/o1yFjrMyUexglUvSRxwwbwL9d+/wMkNiIDFuD6DMULFy/dMrAng PRyqpz2PehK+oQIYU7V2u5cyA6ApEhmFDX27otMeWXoOJKoWazF9ojPVAx81e8KPHhwY 1IDNuA+HQv9gF3h4AbujrU4xzTDj/hlS9WpfiLwreqz07eCeNAU+FqbX2Swdlnbl1yXc kUkuzWa3CFCM42Nrm8YD66ywZhMXderxidg586O0Cv7dhza6X9jfKlIcKrPLHh120ueT EQPsPErGR/EUg6ln6CdcvNweTUcvGP5oDiNmCpMIS81g+61/pM6hgyKL15yY2/XUMkuV 1sFA==
X-Gm-Message-State: ALoCoQkVviahrBCOoy67i/0Ys6UIrWMXzTDeiULWZLbCTqON2HlKfxFm8A+EBAzoKDCFG1GcmPWdp16e05drNSGRcrvB4oxDvoUSQr/TZgAd/3bH6hzyWq4sn3DYhV0zIIR13IFQyYTJJVBOjNG/PlN84+nrSJksBQ==
X-Received: by 10.112.41.236 with SMTP id i12mr27011731lbl.14.1426512072529; Mon, 16 Mar 2015 06:21:12 -0700 (PDT)
X-Received: by 10.112.41.236 with SMTP id i12mr27011726lbl.14.1426512072434; Mon, 16 Mar 2015 06:21:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.170.203 with HTTP; Mon, 16 Mar 2015 06:20:52 -0700 (PDT)
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Mon, 16 Mar 2015 22:20:52 +0900
Message-ID: <CAMeZVwuZjHeoNJ9d3OTU+7FHoRforNLVMX9vKK=CVMwvn2dREQ@mail.gmail.com>
To: "http-auth@ietf.org" <http-auth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/a2JpADzfrQmh6NK5vYL1uTmiIeU>
Subject: [http-auth] (mutual auth) possible discussions / call for opinions
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 13:21:17 -0000
Dear HTTPAUTH WG attendees,
The following is the list of possible discussion points
that the authors think.
For most of these, the authors currently think that
current specifications are appropriate.
But at the same time, we'd like to have feedback
for these decisions.
Please feel free to send us a feedback and
we'll consider it for improving the drafts for
publication.
Feed-backs can be either to the list or
to be given directly at the meeting.
See you at Dallas!
==== draft-ietf-httpauth-mutual ====
= Section 3.1 =
[P1] Is adoption of RFC5987 OK?
[P2] The encoding is fixed to UTF-8, without any language.
(justification: it is not an on-line negotiable parameter,
and the new protocol does not need to consider older
clients.)
= Section 4: Messages =
[P3] Are the reserved parameter names making sense?
= Section 4.1: 401-INIT =
[P4] The set of pwd-hash parameters for user-DB migrations:
none, md5, digest-md5, sha1 makes sense?
[P5] reason parameter:
Are the listed reasons good and complete?
= Section 4.3 401-KEX-S1 =
[P6] Minimum parameter ranges:
* 80+ bits for session id (sid)
* 32+ slots for active nonces: nc-max, nc-window
* 60+ seconds for session key retention
= Section 5: Authentication Realms =
[P7] Are these choices complete?
= Section 7: Host validation (channel binding to TLS) =
[P8] Is adoption of RFC 5929 OK?
[P9] Do we really need tls-unique for general HTTP?
(It is too complex for actual implementation,
because authentication life-duration spans
over multiple HTTP requests and
multiple TLS connections.)
[P10] Is 256-bit binding sensible for 512-bit-worth
authentication exchange?
(with 256-bit TLS certificates)
= Section 10 =
[P11] Two forms of descriptions are given for client state-machines,
requested by feedback comments.
Is it necessary to have both? Or, which one makes more sense?
= Section 12.1: Data Syntax =
[P12] We need non-ambiguous enconding of multiple string sets.
Are definitions of VI(), VS() satisfactory?
= Section 16: IANA Considerations =
[P13] Choice of Requirement specification levels for
new algorithms: is "RFC required" satisfactory?
(see RFC 5226 for other choices)
==== draft-ietf-httpauth-mutual-algo ====
[P14] Iteration counts for "PBKDF2" construction:
nIterPi is defined to be 16384. Is this value reasonable?
==== draft-ietf-httpauth-extension ====
= Section 3: Optional authentication =
[P15] Do we want to migrate to (recently-clarified)
"WWW-Authenticate with 2XX status" for
notification of possible optional authentications?
Current choice (separate header) is more friendly
to co-exist with Cookie-based authentication,
because an unknown new header will always be ignored.
= Section 4: General issues =
[P16] Length of parameter names:
Some requests are there, that we should shorten
name of parameters: how far we should go?
"logout-URL" or "unauth-URL" might be one level of possible solution.
= Section 4.6 =
[P17] Is it reasonable to use logout-timeout=0 for logout request?
Or, something more explicit like "request-logout=true" is preferred?
= Section 7: IANA registration =
[P18] Choice of Requirement specification levels for
new parameters:
For this specification, we want a weaker-level
of requirement than the Mutual spec, because
this spec is intended as general, possibly ad-hoc
extension points for HTTP authentications.
Our choice is "Specification Required".
Is it OK? (See RFC 5226 for other choices, again.)
--
Yutaka OIWA, Ph.D.
Senior Researcher, Research Institute for Secure Systems (RISEC)
National Institute of Advanced Industrial Science and Technology (AIST)
Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
- [http-auth] (mutual auth) possible discussions / … Yutaka OIWA
- Re: [http-auth] (mutual auth) possible discussion… Ilari Liusvaara