Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt
Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Mon, 20 July 2015 12:10 UTC
Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE2F81A7005 for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 05:10:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lSS_gNdEXBO6 for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 05:09:57 -0700 (PDT)
Received: from mail-vn0-x22f.google.com (mail-vn0-x22f.google.com [IPv6:2607:f8b0:400c:c0f::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBCAE1A21B3 for <http-auth@ietf.org>; Mon, 20 Jul 2015 05:09:51 -0700 (PDT)
Received: by vnav141 with SMTP id v141so22037902vna.0 for <http-auth@ietf.org>; Mon, 20 Jul 2015 05:09:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Cy/Dy1GDxEB6gGYv0kwJX+xIOwT2/fIlUEa6Nq4atM4=; b=Lou73FPsimoSOjOJp5ZR/Qck3+EG2xH3yxCGEtAN+FGNg23zEj4XOrN2Z/kuF2uAan bBoZnQbGzG2I6ubl/D5DQahe3yKpEya6zPiA4eTk5H3UmyCW48B2oE98+j+bw2kBNw21 wcDlKt45U+iIk80isql07fEb8psbc+XUAThm/iuEbZ1kZNVYw70e7CPUAZ30zsw2hm0z kjWZ9IKZrDfGI1EKdeGCXSYc0rYIh069zzIgRlQA4zrF6B1YkuJB5krohJXmMt3haiU4 95oT7VlNhPSky3FiqUD/Kp6slQXoJ3ND6/DcwuUMGnVieLoqCkqRGORHEslmZyESiV0J 5jwA==
MIME-Version: 1.0
X-Received: by 10.52.17.2 with SMTP id k2mr204901vdd.15.1437394191039; Mon, 20 Jul 2015 05:09:51 -0700 (PDT)
Received: by 10.31.53.72 with HTTP; Mon, 20 Jul 2015 05:09:50 -0700 (PDT)
In-Reply-To: <55ACB70B.1070603@aist.go.jp>
References: <20150531154835.3639.52041.idtracker@ietfa.amsl.com> <CAGL6epJ=dQw9FZS7aUX3B6oLJUw-s9+ARMbrjjZ0K+283inCkg@mail.gmail.com> <55ACB70B.1070603@aist.go.jp>
Date: Mon, 20 Jul 2015 14:09:50 +0200
Message-ID: <CAGL6epKgcp-KxhUFkMv41-pnF3Gqhm5Oxy7LQQW-Jc5XnKSM3A@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
To: Yutaka OIWA <y.oiwa@aist.go.jp>
Content-Type: multipart/alternative; boundary="001a11365fb028c14e051b4d6a10"
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/eiyz-6P8ddVOTyKjZEI7RoP0pZk>
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 12:10:01 -0000
Hi Yutaka, Thanks for your comments. Please, see my reply inline... Regards, Rifaat On Mon, Jul 20, 2015 at 10:53 AM, Yutaka OIWA <y.oiwa@aist.go.jp> wrote: > Dear HTTPAUTH WG, > > the following is my technical comments for the submitted draft. > > 1. The authentication exchange of the HTTP should be carefully > reconsidered. > It will usually start with unauthenticated request to the server, and > the response can contain "realm", without any specific discovery > mechanisms. > > That is the intention; if that was not clear then we will try to clarify it. Is the confusing part the fact that we called it "discovery"? > 2. The final response for the successful authentication should use > Authentication-Info header instead of WWW-Authenticate, whose > spec is under clarification by Julian. > Yes, and that is already specified in section 6. We will fix the flow diagram in section 2; it was a copy&paste error. > It's also better that the normal response codes (200 or 401) is > shown in the exchange examples for easier understanding. > > Agree. > 3. Please clarify explicitly how the six-message exchange can be shorten > on what cases. > Especially, avoiding re-computation of "public keys" is critical for > any effective use of public-key-based cryptography (including any > known PAKE algorithms) on stateless HTTP. > It will require introduction of something similar to (next-)nonce > in Digest or "sid" in Mutual and SCRAM, along with replay-preventing > mechanisms. It should be clarified how replay attacks can be prevented > when public keys are reused. > > Is this related to subsequent requests in the context of the same session? > 4. There are distinct kinds of responses with different semantics but > sharing the same "WWW-Authentication: SRP" header, and so kinds of > requests sharing "Authorization: SRP". > It should be clarified how each peer will distinguish those kinds of > messages (e.g. existence or non-existence of client-pop field). > It will be important for handling (or rejection) > of malformed messages without any ambiguity (or possible cheating with > it). > > For this, we expect the client to send the server-public-key it received from the server to allow the server the ability to distinguish between the various requests. Regards, Rifaat > > On 2015/06/01 0:53, Rifaat Shekh-Yusef wrote: > > Hi, > > > > Yaron and I have just submitted a draft that defines a new authentication > > scheme based on the SRP protocol, to be used with the HTTP Authentication > > Framework. > > We would appreciate any thoughts, reviews, and feedback on this document. > > > > Regards, > > Rifaat > > > > > > > > > > ---------- Forwarded message ---------- > > From: <internet-drafts@ietf.org> > > Date: Sun, May 31, 2015 at 11:48 AM > > Subject: New Version Notification for > draft-yusef-httpauth-srp-scheme-00.txt > > To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Yaron Sheffer < > > yaronf.ietf@gmail.com> > > > > > > > > A new version of I-D, draft-yusef-httpauth-srp-scheme-00.txt > > has been successfully submitted by Rifaat Shekh-Yusef and posted to the > > IETF repository. > > > > Name: draft-yusef-httpauth-srp-scheme > > Revision: 00 > > Title: HTTP Secure Remote Password (SRP) Authentication Scheme > > Document date: 2015-05-31 > > Group: Individual Submission > > Pages: 11 > > URL: > > > https://www.ietf.org/internet-drafts/draft-yusef-httpauth-srp-scheme-00.txt > > Status: > > https://datatracker.ietf.org/doc/draft-yusef-httpauth-srp-scheme/ > > Htmlized: > > https://tools.ietf.org/html/draft-yusef-httpauth-srp-scheme-00 > > > > > > Abstract: > > This document defines an HTTP Authentication Scheme that is based on > > the Secure Remote Password (SRP) protocol. The SRP protocol is an > > Augmented Password Authenticated Key Exchange (PAKE) protocol > > suitable for authenticating users and exchanging keys over an > > untrusted network. > > > > > > > > > > Please note that it may take a couple of minutes from the time of > submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > The IETF Secretariat > > > > > > > > _______________________________________________ > > http-auth mailing list > > http-auth@ietf.org > > https://www.ietf.org/mailman/listinfo/http-auth > > > > -- > Yutaka OIWA, Ph.D. Planning Officer, Research Planning Office > Department of Information Technology and Human Factors > National Institute of Advanced Industrial Science and Technology (AIST) > Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp > > > OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 > 46B5] >
- [http-auth] Fwd: New Version Notification for dra… Rifaat Shekh-Yusef
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA
- Re: [http-auth] Fwd: New Version Notification for… Rifaat Shekh-Yusef
- Re: [http-auth] Fwd: New Version Notification for… Rifaat Shekh-Yusef
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA
- Re: [http-auth] Fwd: New Version Notification for… Yutaka OIWA