IETF Logo Mail Archive

Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Mon, 20 July 2015 12:10 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE2F81A7005 for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 05:10:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lSS_gNdEXBO6 for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 05:09:57 -0700 (PDT)
Received: from mail-vn0-x22f.google.com (mail-vn0-x22f.google.com [IPv6:2607:f8b0:400c:c0f::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBCAE1A21B3 for <http-auth@ietf.org>; Mon, 20 Jul 2015 05:09:51 -0700 (PDT)
Received: by vnav141 with SMTP id v141so22037902vna.0 for <http-auth@ietf.org>; Mon, 20 Jul 2015 05:09:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Cy/Dy1GDxEB6gGYv0kwJX+xIOwT2/fIlUEa6Nq4atM4=; b=Lou73FPsimoSOjOJp5ZR/Qck3+EG2xH3yxCGEtAN+FGNg23zEj4XOrN2Z/kuF2uAan bBoZnQbGzG2I6ubl/D5DQahe3yKpEya6zPiA4eTk5H3UmyCW48B2oE98+j+bw2kBNw21 wcDlKt45U+iIk80isql07fEb8psbc+XUAThm/iuEbZ1kZNVYw70e7CPUAZ30zsw2hm0z kjWZ9IKZrDfGI1EKdeGCXSYc0rYIh069zzIgRlQA4zrF6B1YkuJB5krohJXmMt3haiU4 95oT7VlNhPSky3FiqUD/Kp6slQXoJ3ND6/DcwuUMGnVieLoqCkqRGORHEslmZyESiV0J 5jwA==
MIME-Version: 1.0
X-Received: by 10.52.17.2 with SMTP id k2mr204901vdd.15.1437394191039; Mon, 20 Jul 2015 05:09:51 -0700 (PDT)
Received: by 10.31.53.72 with HTTP; Mon, 20 Jul 2015 05:09:50 -0700 (PDT)
In-Reply-To: <55ACB70B.1070603@aist.go.jp>
References: <20150531154835.3639.52041.idtracker@ietfa.amsl.com> <CAGL6epJ=dQw9FZS7aUX3B6oLJUw-s9+ARMbrjjZ0K+283inCkg@mail.gmail.com> <55ACB70B.1070603@aist.go.jp>
Date: Mon, 20 Jul 2015 14:09:50 +0200
Message-ID: <CAGL6epKgcp-KxhUFkMv41-pnF3Gqhm5Oxy7LQQW-Jc5XnKSM3A@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
To: Yutaka OIWA <y.oiwa@aist.go.jp>
Content-Type: multipart/alternative; boundary="001a11365fb028c14e051b4d6a10"
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/eiyz-6P8ddVOTyKjZEI7RoP0pZk>
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 12:10:01 -0000

Hi Yutaka,

Thanks for your comments.
Please, see my reply inline...

Regards,
 Rifaat


On Mon, Jul 20, 2015 at 10:53 AM, Yutaka OIWA <y.oiwa@aist.go.jp> wrote:

> Dear HTTPAUTH WG,
>
> the following is my technical comments for the submitted draft.
>
> 1. The authentication exchange of the HTTP should be carefully
> reconsidered.
>    It will usually start with unauthenticated request to the server, and
>    the response can contain "realm", without any specific discovery
> mechanisms.
>
>
That is the intention; if that was not clear then we will try to clarify it.
Is the confusing part the fact that we called it "discovery"?



> 2. The final response for the successful authentication should use
>    Authentication-Info header instead of WWW-Authenticate, whose
>    spec is under clarification by Julian.
>

Yes, and that is already specified in section 6.
We will fix the flow diagram in section 2; it was a copy&paste error.



>    It's also better that the normal response codes (200 or 401) is
>    shown in the exchange examples for easier understanding.
>
>
Agree.




> 3. Please clarify explicitly how the six-message exchange can be shorten
>    on what cases.
>    Especially, avoiding re-computation of "public keys" is critical for
>    any effective use of public-key-based cryptography (including any
>    known PAKE algorithms) on stateless HTTP.
>    It will require introduction of something similar to (next-)nonce
>    in Digest or "sid" in Mutual and SCRAM, along with replay-preventing
>    mechanisms.  It should be clarified how replay attacks can be prevented
>    when public keys are reused.
>
>
Is this related to subsequent requests in the context of the same session?



> 4. There are distinct kinds of responses with different semantics but
>    sharing the same "WWW-Authentication: SRP" header, and so kinds of
>    requests sharing "Authorization: SRP".
>    It should be clarified how each peer will distinguish those kinds of
>    messages (e.g. existence or non-existence of client-pop field).
>    It will be important for handling (or rejection)
>    of malformed messages without any ambiguity (or possible cheating with
> it).
>
>
For this, we expect the client to send the server-public-key it received
from the server to allow the server the ability to distinguish between the
various requests.


Regards,
 Rifaat


>
> On 2015/06/01 0:53, Rifaat Shekh-Yusef wrote:
> > Hi,
> >
> > Yaron and I have just submitted a draft that defines a new authentication
> > scheme based on the SRP protocol, to be used with the HTTP Authentication
> > Framework.
> > We would appreciate any thoughts, reviews, and feedback on this document.
> >
> > Regards,
> >  Rifaat
> >
> >
> >
> >
> > ---------- Forwarded message ----------
> > From: <internet-drafts@ietf.org>
> > Date: Sun, May 31, 2015 at 11:48 AM
> > Subject: New Version Notification for
> draft-yusef-httpauth-srp-scheme-00.txt
> > To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Yaron Sheffer <
> > yaronf.ietf@gmail.com>
> >
> >
> >
> > A new version of I-D, draft-yusef-httpauth-srp-scheme-00.txt
> > has been successfully submitted by Rifaat Shekh-Yusef and posted to the
> > IETF repository.
> >
> > Name:           draft-yusef-httpauth-srp-scheme
> > Revision:       00
> > Title:          HTTP Secure Remote Password (SRP) Authentication Scheme
> > Document date:  2015-05-31
> > Group:          Individual Submission
> > Pages:          11
> > URL:
> >
> https://www.ietf.org/internet-drafts/draft-yusef-httpauth-srp-scheme-00.txt
> > Status:
> > https://datatracker.ietf.org/doc/draft-yusef-httpauth-srp-scheme/
> > Htmlized:
> > https://tools.ietf.org/html/draft-yusef-httpauth-srp-scheme-00
> >
> >
> > Abstract:
> >    This document defines an HTTP Authentication Scheme that is based on
> >    the Secure Remote Password (SRP) protocol.  The SRP protocol is an
> >    Augmented Password Authenticated Key Exchange (PAKE) protocol
> >    suitable for authenticating users and exchanging keys over an
> >    untrusted network.
> >
> >
> >
> >
> > Please note that it may take a couple of minutes from the time of
> submission
> > until the htmlized version and diff are available at tools.ietf.org.
> >
> > The IETF Secretariat
> >
> >
> >
> > _______________________________________________
> > http-auth mailing list
> > http-auth@ietf.org
> > https://www.ietf.org/mailman/listinfo/http-auth
> >
>
> --
> Yutaka OIWA, Ph.D.               Planning Officer, Research Planning Office
>                      Department of Information Technology and Human Factors
>     National Institute of Advanced Industrial Science and Technology (AIST)
>                       Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp
> >
> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405
> 46B5]
>

v2.23.0 | Report a Bug | By Email