Re: [http-auth] Mirja Kühlewind's No Objection on draft-ietf-httpauth-mutual-10: (with COMMENT)

大岩寛 <y.oiwa@aist.go.jp> Wed, 02 November 2016 08:55 UTC

Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06C3C12947D; Wed, 2 Nov 2016 01:55:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aist.go.jp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zGrcc5hqCY1q; Wed, 2 Nov 2016 01:55:41 -0700 (PDT)
Received: from JPN01-TY1-obe.outbound.protection.outlook.com (mail-ty1jpn01on0076.outbound.protection.outlook.com [104.47.93.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB281129411; Wed, 2 Nov 2016 01:55:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=yfG2xwZqw0HZOdlSaGJ7oVH+ZWpVTOggKzjGwzhJtfw=; b=cpBaOtijF7hbfH0sPb4p84ylHtm76y43GrJqRFwnbKUjDZt57nKgQUaQUf9qgCiXv51ALPQ2AijlhbQ/2gOKQOmYGdJaiQ3XhFuWAoLXLNCODbBsi1A1dhkeuW7V6DBZ04nt7lSQh3382xidJtmqrmNdUIIvkeEYyFEs55+bzuM=
Received: from TY1PR01MB0588.jpnprd01.prod.outlook.com (10.167.157.18) by TY1PR01MB0587.jpnprd01.prod.outlook.com (10.167.157.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.693.12; Wed, 2 Nov 2016 08:55:37 +0000
Received: from TY1PR01MB0588.jpnprd01.prod.outlook.com ([10.167.157.18]) by TY1PR01MB0588.jpnprd01.prod.outlook.com ([10.167.157.18]) with mapi id 15.01.0693.009; Wed, 2 Nov 2016 08:55:37 +0000
From: =?utf-8?B?5aSn5bKp5a+b?= <y.oiwa@aist.go.jp>
To: Mirja Kuehlewind <ietf@kuehlewind.net>, The IESG <iesg@ietf.org>
Thread-Topic: =?utf-8?B?TWlyamEgS8O8aGxld2luZCdzIE5vIE9iamVjdGlvbiBvbiBkcmFmdC1pZXRm?= =?utf-8?Q?-httpauth-mutual-10:_(with_COMMENT)?=
Thread-Index: AQHSNEf9quOyW8ARUEKI1Qq0z2sw5qDFYhsA
Date: Wed, 2 Nov 2016 08:55:36 +0000
Message-ID: <TY1PR01MB0588F621B8D606E97B9C5DCEA0A00@TY1PR01MB0588.jpnprd01.prod.outlook.com>
References: <147800869091.23840.18136834516271995868.idtracker@ietfa.amsl.com>
In-Reply-To: <147800869091.23840.18136834516271995868.idtracker@ietfa.amsl.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=y.oiwa@aist.go.jp;
x-originating-ip: [150.29.149.29]
x-ms-office365-filtering-correlation-id: 92a3aff3-62d0-4c13-9a80-08d402fe03a5
x-microsoft-exchange-diagnostics: 1; TY1PR01MB0587; 7:CVjieV/DcFrzjTUxwXxxfh7JujEYEmqtCvaQqhWqjUcqA3crScbagW+zkrNecilJzxzBdNZZqTnmXnr5jGliF0Zh2ZAvYh+n1kHtIznDqlXIsozfcl0MPZKvUrnkKzRk/xEzSingZ9ZtMTj4JVLG3o2FTIGzZ52xQ4MNbnJ4d7edDKmTY1pStbpep/9vbiQ40E324Iyocmu2lzo9QLyo65UK3J7U/g8yI9bJsUFN5IZNY6tEgnjZ+xPnm8W6/ohQpCqW7EqUUm9LMgKg2cyLnPAz/IsZyZf5UutzFG3BLgl0Q75Hg5Vq6fjK97QTSD+dyI1bRw/EnQZa9TJpiTvV9MGx622EMr99fKx8XUYt+JE=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:TY1PR01MB0587;
x-microsoft-antispam-prvs: <TY1PR01MB058740C9C60540C25B0D6157A0A00@TY1PR01MB0587.jpnprd01.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026); SRVR:TY1PR01MB0587; BCL:0; PCL:0; RULEID:; SRVR:TY1PR01MB0587;
x-forefront-prvs: 0114FF88F6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(189002)(45984002)(199003)(92566002)(33656002)(7736002)(77096005)(305945005)(2900100001)(7846002)(189998001)(66066001)(5002640100001)(85182001)(87936001)(74482002)(230783001)(50986999)(42882006)(5660300001)(8936002)(81166006)(105586002)(81156014)(19580395003)(10400500002)(106356001)(97736004)(54356999)(76176999)(86362001)(2950100002)(101416001)(19580405001)(224303003)(106116001)(3280700002)(3660700001)(11100500001)(2906002)(122556002)(76576001)(224313004)(6116002)(74316002)(102836003)(3846002)(68736007)(7696004)(586003)(9686002)(5001770100001)(4326007); DIR:OUT; SFP:1101; SCL:1; SRVR:TY1PR01MB0587; H:TY1PR01MB0588.jpnprd01.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: aist.go.jp does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: aist.go.jp
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2016 08:55:37.0114 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 18a7fec8-652f-409b-8369-272d9ce80620
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY1PR01MB0587
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/ash8Fs7ODk1vBRQY9UgrFVy_WPg>
Cc: "http-auth@ietf.org" <http-auth@ietf.org>, "draft-ietf-httpauth-mutual@ietf.org" <draft-ietf-httpauth-mutual@ietf.org>, "httpauth-chairs@ietf.org" <httpauth-chairs@ietf.org>
Subject: Re: [http-auth] =?utf-8?q?Mirja_K=C3=BChlewind=27s_No_Objection_on_dr?= =?utf-8?q?aft-ietf-httpauth-mutual-10=3A_=28with_COMMENT=29?=
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 08:55:43 -0000

Dear Mirja, thank you very much for the comments.


> One important question:
> Doesn't this spec need to register a new HTTP Authentication Schemes
> ("Mutual") with IANA?

As Julian suggested, yes.
We'll add one more clause to IANA consideration.

> Further minor comments/questions:

> 1) Somehow I don't understand this:
> "For responses, the parameters "reason", any "ks#" (where # stands
>       for any decimal integer), and "vks" are mutually exclusive; any
>       challenge MUST NOT contain two or more parameters among them.
>       They MUST NOT contain any "kc#" or "vkc" parameters."
> Who is 'they' in the last sentence?
We'll change it to "the responses".

> 2) "Typically, clients can ensure the above property by using a
>    monotonically-increasing integer counter that counts from zero up to
>    the value of nc-max."
> Wouldn't it be better to use a randomized number?

This is by design.
Use of an almost-sequential counter makes efficient detection of
replayed challenges be possible with constant memory space.
Using random numbers, the servers must remember all used nonces
to detect replays, which requires memory space proportional to
the lifetime of the "shared key" (z in the specification).
In this algorithm, shared keys are cryptographically generated
"strong secrets", so use of sequential counters will not decrease
the security strength of the whole protocol significantly.
Replay attacks are more important to be prevented.

> 3) Nit: s/Even if the request-URI does not have a port part, v will include
> the default port number./Even if the request-URI does not have a port part,
> vh will include the default port number./

Thank you.


-- 
Yutaka OIWA, Ph.D.       Leader, Cyber Physical Architecture Research Group
                                  Information Technology Research Institute
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]