Re: [http-auth] Terry Manderson's No Objection on draft-ietf-httpauth-mutual-10: (with COMMENT)

Yutaka OIWA <y.oiwa@aist.go.jp> Wed, 09 November 2016 06:11 UTC

Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B225A129479; Tue, 8 Nov 2016 22:11:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aist.go.jp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hqPN9Qji5dLr; Tue, 8 Nov 2016 22:11:18 -0800 (PST)
Received: from JPN01-OS2-obe.outbound.protection.outlook.com (mail-os2jpn01on0048.outbound.protection.outlook.com [104.47.92.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BEF512962A; Tue, 8 Nov 2016 22:11:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fpdb5jD0rD5mtMcoB9BZ7OirdeE5CY0nhdevJ93LA/Q=; b=gh0RdAsMBPsvgS0T4qHBZAYt6m9ksR3X0H/MvN4avnH7Ap2xmkaiyW3Ic4lJD/9mVC9Y4vF9Ktj1gQ8fVsO1YYzPNPMVpbaBaqjin0xL3tJC01qUp6KN8arfTlFC92hg7wlVpK9TqPEXKgUD7e3fhu+OETvQz7ksgpPPEToIXlo=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=y.oiwa@aist.go.jp;
Received: from [150.29.149.113] (150.29.149.113) by OSXPR01MB0583.jpnprd01.prod.outlook.com (10.167.146.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.707.6; Wed, 9 Nov 2016 06:11:14 +0000
To: Terry Manderson <terry.manderson@icann.org>, The IESG <iesg@ietf.org>
References: <147804465351.23964.4743241573285672461.idtracker@ietfa.amsl.com>
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Message-ID: <8ee97cfb-1261-247b-24b3-e5f0d1396c42@aist.go.jp>
Date: Wed, 9 Nov 2016 15:11:12 +0900
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <147804465351.23964.4743241573285672461.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [150.29.149.113]
X-ClientProxiedBy: TY1PR01CA0077.jpnprd01.prod.outlook.com (10.167.153.165) To OSXPR01MB0583.jpnprd01.prod.outlook.com (10.167.146.145)
X-MS-Office365-Filtering-Correlation-Id: c46da920-2d17-44c1-28e3-08d4086735f2
X-Microsoft-Exchange-Diagnostics: 1; OSXPR01MB0583; 2:AAHtApAzQot7etlZAqDxEnO7fBZDH1VH26VjJquaiOtta8k10WhpfsbXU9n4kR/6mDNIJ6hDn79po2/TC14OSI1BBZz5X5M/eScihr49hY2rgfpIJkW7B/Q2Mxck99T3h0lR4s7ehd0Bi1maOMA8hsWv8Z8HJJseKQWPWqbyuKlPdbRkl5qrfSkAghY5iQkGjQXLDGIcjR3HavzQaPZs2g==; 3:BD7ORBwQ4Ux7xtMhqazTkpV5Myfp5J3ZBUexNmsrTQVykUMESofKYRkWC1qQLwnyIywg0TqwdjbKRYR5hKeEXV0osIvmLBLv6qsyefpU6tHMukz7JspYblJriBaZJPJVGyOQ3qq5IvruE9wbIEG/xg==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:OSXPR01MB0583;
X-Microsoft-Exchange-Diagnostics: 1; OSXPR01MB0583; 25:xiNybMb9VY9tuarfEDteUOXr4onolEmm2km2fNZqx6NqJET9NOQ1tvYMC5DskOKFr0NIZzPtwZFuurQPvylYts9K+GqX+KCtSYfVZKwcaf4SuzaGdZOb6mRkfyBU0nZBaWLzl4zZrgBcvM49uG1JVDhXfhFQZwVB30RXFth1rYWPK+ktW+HZ6UzSRJaDshZ2YoucGKh13CDCS7e9G6BrFKz408ekhOZ/LIj1SR7I6Jthji3ZJ4yi/a7YN3Er016WjER2oA6l0n5/DB/Sefd71WaRtRQCu6ju8tmwvBi6LYFKJyXdRNy4jardExdMy3gnXEOXrDXaztvhaGoYekijby6/RgKgZQq9SNhgrBfiH1nbih2EQtlLRFi4yi4CkwOgUHVL/f6PRlvQU7K4zSc+h89InTGQNog4IbraCUyEF6r8GT2r6vTlAWxTN9q6B6OvHbrQNA1OR6zDviQBCe6x7eMsTKgC8qJlu4L0XXWLKS5BntRRbBS94PoBK4IP6xchyRHYBiK3xSIfPtSfb+jtgUb7SKxq56aCk+sGDlk2wkP74SEojyMS7aqVuUNDx2cPHu7cvFPQODV60MEJWFY6ebEkiSNa7hFKNhjA+5Ik1pQHBfdZPmRi2xjBcyBaP62POb0H7tVsqKKlF+ngdn4XJMvOzibLr1oO1at56DCHGVJitg0V9lsemy/L3/CbswVnHWpKeukWA8IcX2iYx7XWRu7U34JV2KxkCEEXyqnPM2bf9fGSeifyXUJHmrFepGeo
X-Microsoft-Exchange-Diagnostics: 1; OSXPR01MB0583; 31:pjT4CmzPSTNNtPoI8CtT/UuS96QvXEX06UflVV1sbrK09AIX1xxhDW869IIjlQSouRkavjRTksz9gtip8LIbUMIpSdVpGiZ78XQOWu1zDrM2hGzkkb6PbtxJlixVnSKWtOEZkkATOBttbX+CbEnnVIyufnDKlPABbCkb9t9hHWnWM9N1u7QIpKDKw1oqR7clbq/9/bFnY6ioeskczyLrgt4qOEUwN5XxCHb7IL/VjHFUW1cTdcNgmUHCgdPGeaSs; 20:7AfId9T2p5CuHJ9QnBxs9yqr/E3dPxpdzopiKMI+z1VCkcMOthIVl1Y7olxaUGP4RKrYuHYfnkNa3z/Ms7XGYrsOpqn5Kx9MWhIxXlk73jIbsBZO1G6Nr4JNNmbNOjon2+ezSBDXylquUmVdCRdq6RJKT6HNcATnzw6TMomVhLs7bVrlBj+UggdZH4a3oc8aPFW2Ert7ote8StanH8MfmVA2ilISiw+rf8XA7pcbj1DMtZms8wliZbyjuSXx20NtQCNOy3jTwwnevhL37BdWADNVg/YT5RHKmVcKUtv7edEkTqhIGn9W8yZWAkVrqnXoX5WPtvFaurPWXPYd+LWf03hxjcIqqLZWmtOnUK7TqHOk+Lj92vEjULHTLZCBrCMmhu87xXbWQCm+rluWMfhW9FLLambOiUYZ9+C9vYev+99wWhxYK/XSs8vZ5mKsSXx66hiBikCJ1MrL/f5z9i8bvUdM/GJTwmiiPZpTQVgCra6If2aWnB9W9AqDw1T1zjF9VKetB5MGU0Mlu3ulwfiAy4hq60IggSlqPBr2KLsWKSukcuh/W7em/sQpmEcejEKLLnOv7MNsEpczygCI1qIWh/XZuNvyk4STkj5GLIUVhcM=
X-Microsoft-Antispam-PRVS: <OSXPR01MB0583F5E12E3729C2260B491FA0B90@OSXPR01MB0583.jpnprd01.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863)(192374486261705);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040176)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026); SRVR:OSXPR01MB0583; BCL:0; PCL:0; RULEID:; SRVR:OSXPR01MB0583;
X-Microsoft-Exchange-Diagnostics: 1; OSXPR01MB0583; 4:ayJ2XZ4LN9+PaXJNBVyH0cIY2BW2TNnlAVh/zcgTYlrT+PGOU3XrurAGFpMalaDHQ6yg/fkLCAqFTnWvUVh6r49h2bAKHTV4o4ztUdYYLtCiSYIZI9EW3Jvb4GDlZef85WAOt/mGVubGuKoA2f+hscSe3g1yd87VaS1Bba5+4lzhKP/Y/yE6hbX6G57WbA0HzKvr4cvn5M6wQUnDJHfMkOq9bSghxe6AfXv5jsIWJmaTV9I87qcBkzmx4bHsAcxt7GuQupJlWP60OK0myapMEg/UqzVDuN3kg40nJuoRIQyxt9tcuQNC7dWoWypJNt+a0BseKKWuyetIG228iWm/L2skgLUERX57PcBz2uHdesFoxtbPTjUSPAcYZVUqwtoMYzn5Li0dkvpDSkxdSLu4Ogz2SSPJkzVUe/UmSbE2mU+ipSj2XzU7HVgEdxbRzUuO3Y6SoN8QCNHV0b5Ros8VcOcEHeK8Q7C2i9C5fk9RmU8=
X-Forefront-PRVS: 0121F24F22
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(4630300001)(6009001)(6049001)(7916002)(24454002)(199003)(189002)(42186005)(42882006)(77096005)(8676002)(65806001)(68736007)(2950100002)(74482002)(81166006)(6116002)(586003)(97736004)(3846002)(64126003)(65826007)(81156014)(92566002)(31696002)(4001350100001)(305945005)(31686004)(5001770100001)(2906002)(230783001)(50466002)(5660300001)(189998001)(50986999)(86362001)(7846002)(23736002)(551544002)(76176999)(7736002)(345774005)(33646002)(36756003)(83506001)(106356001)(65956001)(47776003)(230700001)(66066001)(105586002)(4326007)(101416001)(54356999)(120846001)(7099028)(3940600001); DIR:OUT; SFP:1101; SCL:1; SRVR:OSXPR01MB0583; H:[150.29.149.113]; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: aist.go.jp does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: =?iso-2022-jp?B?MTtPU1hQUjAxTUIwNTgzOzIzOjd3bmNCczUxbnBJMnlFVVFPMnY1YU8r?= =?iso-2022-jp?B?RGxiUUhVUDcwYWdVSm5LaVZyaWk4aWluSTdVL0VvYWNqbVJ4TEEvNHNW?= =?iso-2022-jp?B?cVRINlZHZGoyTTZUcnlhVWNrMFdtdGZJQ2p2QTJkRzRPUStaMnlqU3pI?= =?iso-2022-jp?B?SThMMGdnSnFyME4zK0NNK1JyQ1FlUkY4WjNIMVQ1ZDBibnhTbTdRNmJn?= =?iso-2022-jp?B?c3RURExuTk5xZmI5cWZHMzl4dXlCMFlpcWg4S2NrcEIyTE5Ec1J3eFBq?= =?iso-2022-jp?B?ako4blJmdk5LT25RSzhTdGUxNCtyV2VaSm5JODJPNkhFeThXNEhuUzV0?= =?iso-2022-jp?B?SWVhT0tPc2pQTXJiNWxhckFrYUY5K3pQQ2laOFp6NCtZK0l3TThuUU8w?= =?iso-2022-jp?B?NXlPUWJUQWsyalgvNklma3hnMjZWWE5NbG5zdkdSSzM0WGdaNU1CRmxV?= =?iso-2022-jp?B?WHBNV01vSXozb2FHWkl5ckhpbVB0WUlrWEJ0RmxiZmQranRlckdKdlA3?= =?iso-2022-jp?B?cTgvQkJqeG96Wi9zbHk3WXhZdDhjVS9EaHVJQmJmbXNsU2RDRTdqRmti?= =?iso-2022-jp?B?aXFyT2JYbkY4THFVc0JzWmhkTkZMNVhnVDhhT2lnKzQrRGVWK0V0dGtS?= =?iso-2022-jp?B?N3ZydnpqYVd4K055VmtjdkJhN2JxbE9Jd09lLzk2RzN1Y1NzU0NkZ2xU?= =?iso-2022-jp?B?VXg3T3V1WDJSRGpDa09HbXU3NmlVUTR3dVQwUXYxSjV4d1lNTVp6QW16?= =?iso-2022-jp?B?STdZZTlIT1d1S3IyaW9kSWJ1Z01TKzBLd0tYb3VSRGFzbXlUekE4ZzE2?= =?iso-2022-jp?B?dUJDaUVlMjhkRUUxV3RmditsZmRINlhYaU9YaUpvcjlLazhaMG5xdWVC?= =?iso-2022-jp?B?K0RNU1FnSG40N3FhMllXNnR0WW4veXZZb0R1amt2YXZ6VTVxUGV4eEpp?= =?iso-2022-jp?B?WG8rSUdVMDdBTDIxVzlzVmFES1BtRzVVWFZYOVJsK2JsQlU3dWs5WHU4?= =?iso-2022-jp?B?djYzZ0JMK3JHS1RZcGJtdXZuMGRVdFIzLzNUU1NlRmRlLzBncmFZY2Nj?= =?iso-2022-jp?B?MlZMUFVYNDg4VzNHWmRDS1Z1c1ZldmZtNlR2b0p3UVhxN2VnQ1p5TENn?= =?iso-2022-jp?B?YUROUEo5QkFaczQzemdqOGhpa1laZk1OaENDeHpHWXM0MEZiem5PV3Ni?= =?iso-2022-jp?B?NUFlN2NHS3lpWUlud2RBV21pOThwWVNkcEFuR09GdTF3Zkx4dFAxSFlv?= =?iso-2022-jp?B?RWZqb2tRTzRwdXVVVG9aVmhDUlVXeVZiSWtPdFN5em00dTN2MDdkNHlF?= =?iso-2022-jp?B?MXRwTkZHeGY5YWpLamZlSUU2NGN0WXNBRnJRQnBJQStCU2ZMekgraXZ4?= =?iso-2022-jp?B?eUZJVmxDZmdoNzhDdTNIUWFYQ1VGejFJbDFEMUlLTk9YbndQNzdpZ1FV?= =?iso-2022-jp?B?dFBmQnI4cVNZa1BnbGdwV3o0dE5xczFmMDZPangzZUV0d1p3WkJLY1Iy?= =?iso-2022-jp?B?ZWlLQzROUUFrdzZRYmx0VkdkWk5odEFHZ0xRSFkwUW5lZVluMkNZRjZV?= =?iso-2022-jp?B?dVVjOFhhQXJYSlFWZWFOWS9YZTgvT2t3Z0Z5SDFSREZHUFhaUGZCQits?= =?iso-2022-jp?B?MVlscUV1Y1JneXMreFVVd1owV1pHUE4yYnUweFQ4STI3YzlQSTJYVGZG?= =?iso-2022-jp?B?ZzB5VXZXb3NmbEVsYnpMelpDWklZYlZCODRNc2tsWGwvNlRHWlRjNjYy?= =?iso-2022-jp?B?b0JaaEhjL1ovWFdBbmd6OGRqNjVFbHFnNTBCYjBvK1AyRUhDdHVvLy85?= =?iso-2022-jp?B?VGozZExodmNiSE1YMitOVm11M2c2MkRhN1NIRGl2SzU0YlVzb2dXU3pD?= =?iso-2022-jp?B?ZHdWM01oMmt4THVOWVJ0SEt4aExRWmF6VlNIamRWa0ZEQU15ckYzVU1a?= =?iso-2022-jp?B?WExzVHVpNEREU2J2Y3FOVFZUWXR1MHVlV3ZDWmNMdStWSElTMFZodUMr?= =?iso-2022-jp?B?UmFKNW5MVi9HMUZPTG9TUlVyaWJuR3kyR0w4c0sxanZBTGR3eHErK3U=?=
X-Microsoft-Exchange-Diagnostics: 1; OSXPR01MB0583; 6:mVqk34u1JMAUp/oM9NbL/x9TkPMtDgwEYWy8L6GbFuWBmDuBADTluHnBAaua3QpCDKJP/EvovcP6JjA+oqLscbc6MaDhiOBELKDSy2w3jwsvQ3e5RjbizD0OMIbxLqCw1VDzL5aTwxlXs/yEGIeSFoXFbpRNNtl/QoJo1XQC1st20AueZWbgyjvC8o0JOrd8S+koSAmIXCqbGa3DUu1kZP00+mpM34/fFS4I7LPoLhsZJN9EhVaYbNz//Mr7q2DHQ1T7VLqBQbT6MkQ4pdoKp3HIWCO/g6htaW/CgZFuAK8nZYlXBeP0DnlYlcbDBBTx5yGavRZwlkPXcgRu5oZM1DYz1GSWDSE52R/oTj+8Ntc=; 5:5WQN8ER7LGHvw12hVE2Oz4R+CEpWG4nqRcJcSVdSsw9yd3vERLvLSqp/3S9B72cO+bw4tRs2b6S6KFqjT+o8oZtPco+g3hd408rVxRCsNC+SlsSSZB1vSjNu8NVz4SPHyUIx5OaIJbGiTP4kCFK6kw==; 24:I/guL4OZ77wyWcyTG20yk4QJ+QwYyW8pAdRUgck0Huc3saO0gjbZpkZYqrjL3eVUEpOq+VJx2trYplswnbWmNfXU6WlyXBboofemHOiz20M=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; OSXPR01MB0583; 7:iqEzbghtlylFKDqAoJJA0A1AB7FxQD6yX/7lllhixBxyHlH+LbWy5pO9CqiltQHMrgboT1GEPaeSxk0fG3YK3fk0DsBhPNc+Yd1bgmGPrXch4DqEMzJnpbOKf39rxxvc8SynVzEzrfyNUFbxiyw0xdrY60DaoOQ7KDpAKBOXxULEqogMWjwSYo6qIDf+fHuWOyd8ODtnHdRqsPryx0qT147nFSzGQuOcthOtOMUCmtamYq5n8I8a7dSf8zKpYhe9zfFNE0PmfemVL2fT37HywsDyK0b6Ssn87m217eEz4N6K97P0irGd+fZdKgm/UeB5rjuXaY9i9Zd8bNWwqG9UDYWrm1MaSeLLSjz9AQWnp58=
X-OriginatorOrg: aist.go.jp
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Nov 2016 06:11:14.2976 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: OSXPR01MB0583
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/g-KLhukJFHhXF0TGM-nvY2K_ins>
Cc: http-auth@ietf.org, draft-ietf-httpauth-mutual@ietf.org, httpauth-chairs@ietf.org
Subject: Re: [http-auth] Terry Manderson's No Objection on draft-ietf-httpauth-mutual-10: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2016 06:11:21 -0000

Dear Terry,

thank you for the detailed comment.

On 11/02/16 08:57, Terry Manderson wrote:

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thanks for writing a very detailed document. 
> 
> A few minor comments.
> 
> 1) Please review the introduction, there are several grammatical errors
> in there. Meaning still came through just fine, but they were a little
> distracting.

We try to improve it in the next draft.

> 2) The state machine diagram of the client is quite complex. A candidate
> for the new RFC format?

Maybe :-)  We have a vector-graphics version in our hand.
(former submitted PDF versions have included it.)

> 3) I agree with Alvaro's comment on the IPR. Thank you for making it
> royalty free, however not sure you need to add the text in the RFC.

Thank you.  We remove it.

> 4) This to me seems as it is essentially a shared secret construct, one
> sentence from RFC 2361 (security considerations) seems applicable here.
> "All the security in this system is provided by the secrecy of the
> private keying material." If this the case, please provide ample warning
> that (as one would expect) loss of the password from either the client or
> the server results in a complete compromise.

Situation is a bit more detailed (strong passwords are safe against
server-side compromise), and We'll add a new subsection in Security Consideration.

-- 
Yutaka OIWA, Ph.D.        Leader, Cyber Physical Architecture Research Group
                                   Information Technology Research Institute
     National Institute of Advanced Industrial Science and Technology (AIST)
                       Mail addresses: <y.oiwa@aist.go.jp>jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]