IETF Logo Mail Archive

Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)

Michael Thomas <mike@fresheez.com> Tue, 06 January 2015 16:02 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8EC01A005D for <http-auth@ietfa.amsl.com>; Tue, 6 Jan 2015 08:02:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mzesl8uWXQfg for <http-auth@ietfa.amsl.com>; Tue, 6 Jan 2015 08:02:14 -0800 (PST)
Received: from mail-pd0-x232.google.com (mail-pd0-x232.google.com [IPv6:2607:f8b0:400e:c02::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19AA11A000C for <http-auth@ietf.org>; Tue, 6 Jan 2015 08:02:14 -0800 (PST)
Received: by mail-pd0-f178.google.com with SMTP id r10so30781091pdi.9 for <http-auth@ietf.org>; Tue, 06 Jan 2015 08:02:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fresheez.com; s=fluffulence; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=Xn+TJDKks/m35tbZCo3zlZDsqo8/cInlTwlTe0kq+LY=; b=BL6aMvEafui47PUnB4da4X1A2jMfJFp3qMapHOBM9sYycBDn1D0g8SZYPk3ZBxXEE6 ZYgdnWKqizPdt16DoZ5tLCCDTcjdj/5GrTdk7Uyu19fYAaCbWMAGLD1HpSiUhZyFzT7h A2Se1fJJpSNFT8pCsXnEXiVvY9GtDrMRKjVOw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=Xn+TJDKks/m35tbZCo3zlZDsqo8/cInlTwlTe0kq+LY=; b=Qt463x7U75aJjq1aU0Mh4/94tan6uf+X7lNH0rrAIfHv6Tskshq8xRAtkXslUBQXgc xX2TKf/Xjl4GSGN1ppL0MCKOYDAuw54p7JrlC7IITCqIvgsaIU5EMLPhD7sfhKojBN0J mGvKuHNWpA2uMe8Yy8ehbtIucDmIEd03iPucY7/Xcx/57JXyvrg9uxmlYvUQ8IQkHBer lMY7x54TcgMDSvEc7RVuLu+fb2eVTs/aovVbIFjtVO+Kt4dqYYwWH7CmySTWKly0KrRz G1OJVEJxRWyrhV9ZAuMjXRVde8tuH+zQVxKtBQArOoHulNZWQqD262/mGYVi9JEgVVeU Z7nA==
X-Gm-Message-State: ALoCoQkg0nUwwwcUkJ/JJL4HPb4LvdxqbQiAbqG1CX2ZRM1RkWuk3odhUH/gZ9Gw+l33HiLFajX3
X-Received: by 10.68.134.3 with SMTP id pg3mr159567472pbb.84.1420560132757; Tue, 06 Jan 2015 08:02:12 -0800 (PST)
Received: from takifugu.mtcc.com (mtcc.com. [50.0.18.224]) by mx.google.com with ESMTPSA id bl10sm57764953pac.23.2015.01.06.08.02.10 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Jan 2015 08:02:11 -0800 (PST)
Message-ID: <54AC0701.3020703@fresheez.com>
Date: Tue, 06 Jan 2015 08:02:09 -0800
From: Michael Thomas <mike@fresheez.com>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Barry Leiba <Barry.Leiba@huawei.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Barry Leiba <barryleiba@computer.org>
References: <20150105174855.11968.51931.idtracker@ietfa.amsl.com> <54AAE9C7.8010105@cs.tcd.ie> <CALaySJ+j2u3_amk-BSjDgRvoGKFjsqn8k1Lm8pN0dW5dCXck3g@mail.gmail.com> <9C2AA051DD3C464F8ADEE38AEE6C26AD18C9E7BA@dfweml704-chm> <54AB4FFF.4040402@cs.tcd.ie> <CALaySJ+QY12hbrn0SkzwCakcBR3mqSD7XkHAQEspogafVq1_-g@mail.gmail.com> <54ABAF30.8040207@cs.tcd.ie> <9C2AA051DD3C464F8ADEE38AEE6C26AD18C9E90C@dfweml704-chm>
In-Reply-To: <9C2AA051DD3C464F8ADEE38AEE6C26AD18C9E90C@dfweml704-chm>
Content-Type: multipart/alternative; boundary="------------090908030905070904040306"
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/ep7ThmscbMXXh_T9ZelC4oQMMTc
X-Mailman-Approved-At: Tue, 06 Jan 2015 08:06:00 -0800
Cc: "draft-ietf-httpauth-hoba.all@tools.ietf.org" <draft-ietf-httpauth-hoba.all@tools.ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "httpauth-chairs@tools.ietf.org" <httpauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jan 2015 16:04:56 -0000

Thanks, Barry. The programmer in me thinks these are very useful too.

Mike

On 01/06/2015 06:05 AM, Barry Leiba wrote:
>>> This document would benefit from some section somewhere giving a set
>>> of clear, numbered steps, saying who sends, who receives, and who does
>>> what with what input at each step.  I will propose such text.
>> And I'll happily look at that when it's available. (And hope to not have
>> to wait much:-)
>
> 1.
>     And here we go; not a lot, but I think it really helps.  Of course, adjust it if I got anything wrong or worded inaccurately.  Note how the section references jump around -- that's why I found it hard to follow, and why I think this is a big help.  I'm suggesting making this Section 1.3 because I think having it up front makes it the most useful.
>
>     -------------------------------------
>     1.3 An Overview of HOBA-http Authentication
>
>     HOBA authentication uses the HTTP authentication framework defined in
>     [RFC7235], using a number of HOBA-specific elements.  This is a high-level
>     overview of HOBA-http authentication:
>
>     1. If the user is not already registered with the web-origin and realm it is
>     trying to access, the "joining" process is invoked (see Section 6.1).  This
>     creates a key pair and makes the CPK known to the server.
>
>     2. The client connects to the server and makes a request, and the server's
>     response includes a WWW-Authenticate header field that contains the "HOBA"
>     auth-scheme, along with associated parameters (see Section 3).
>
>     3. The client uses the challenge from the HOBA auth-scheme parameters, along
>     with other information it knows about the web-origin and realm, to create
>     and sign a HOBA-TBS string (see Section 2).
>
>     4. The client creates a HOBA client-result (HOBA-RES), using the signed
>     HOBA-TBS for the "sig" value (see Section 2).
>
>     5. The client includes the Authorization header field in its next request,
>     using the "HOBA" auth-scheme and putting the HOBA client-result in an
>     auth-param named "result" (see Section 3).
>
>     6. The server authenticates the HOBA client-result (see Section 5.3).
>
>     7. Typically, the server's response includes a session cookie that allows
>     the client to indicate its authentication state in future requests (see
>     Section 1.1).
>
>     [You might include an example here, as Julian suggests.  Or perhaps you might put an example in an appendix, and just cite it here.]
>
>     -------------------------------------
>
>     Please let me know what you think.
>
>     Barry
>

v2.23.0 | Report a Bug | By Email