Re: [http-auth] Alissa Cooper's No Objection on draft-ietf-httpauth-hoba-09: (with COMMENT)
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 08 January 2015 00:39 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09EC91A8777; Wed, 7 Jan 2015 16:39:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzfD4kt-s6rd; Wed, 7 Jan 2015 16:39:10 -0800 (PST)
Received: from mail-qg0-x22d.google.com (mail-qg0-x22d.google.com [IPv6:2607:f8b0:400d:c04::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB70F1A876F; Wed, 7 Jan 2015 16:39:09 -0800 (PST)
Received: by mail-qg0-f45.google.com with SMTP id z107so66576qgd.4; Wed, 07 Jan 2015 16:39:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=NOlCfQwh/v12PIcPaPSn0/2B5KE9OLO26ZB0b8OuQP8=; b=b+Ofp9x+q0PACoidWYK0igv6pHPqYtn1QO6dKEGbXAnPY5lkf2ejZ/mlBjGtol1bKM 0i2V6ZBQq3zAB1qDkIpwSEQtAVCM1rEAtMWsnJrP7U/Bw/PCDK1L95pIV3+kKGqxRbUt wX8q1VHOyxmBWKxPRcSy943g5aSLctgOpSXeJTCfyNMKpv84k6d2tm8kmvty6lXxA0Xk xNsW4FmjfQryJHlD5XeVVYP6ZjZyIHUeCscN1H0QaYWN7T2lljhY8F3L+Mvo8AcTNx8G TCxZOsEVGJKkc7VgqVArJWg32l8khazAG1JFk5L6eZ0N7VljDGI7PnyJthdqAtk2IHcB ntzQ==
X-Received: by 10.224.50.75 with SMTP id y11mr9867709qaf.89.1420677549134; Wed, 07 Jan 2015 16:39:09 -0800 (PST)
Received: from [192.168.1.3] (209-6-114-252.c3-0.arl-ubr1.sbo-arl.ma.cable.rcn.com. [209.6.114.252]) by mx.google.com with ESMTPSA id u14sm2607404qau.37.2015.01.07.16.39.07 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 07 Jan 2015 16:39:07 -0800 (PST)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Google-Original-From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (11D257)
In-Reply-To: <54ADBD79.4090201@cs.tcd.ie>
Date: Wed, 07 Jan 2015 19:39:09 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <BA90127E-469F-4882-B5BD-817715067C2A@gmail.com>
References: <20150107222027.18377.83227.idtracker@ietfa.amsl.com> <54ADBD79.4090201@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/gBt4JGESr86MmasiifVwrJbzHkg
Cc: "httpauth-chairs@tools.ietf.org" <httpauth-chairs@tools.ietf.org>, "draft-ietf-httpauth-hoba.all@tools.ietf.org" <draft-ietf-httpauth-hoba.all@tools.ietf.org>, Alissa Cooper <alissa@cooperw.in>, "http-auth@ietf.org" <http-auth@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [http-auth] Alissa Cooper's No Objection on draft-ietf-httpauth-hoba-09: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jan 2015 00:39:13 -0000
Sent from my iPhone > On Jan 7, 2015, at 6:12 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > > > Hiya, > > Two non-trivial changes here, see below, but also please check that > though, working copy is at [1], diff vs. -09 at [2] as usual. > > [1] https://down.dsg.cs.tcd.ie/misc/draft-ietf-httpauth-hoba-10.txt > [2] > https://tools.ietf.org/rfcdiff?url1=draft-ietf-httpauth-hoba-09.txt&url2=https://down.dsg.cs.tcd.ie/misc/draft-ietf-httpauth-hoba-10.txt > >> On 07/01/15 22:20, Alissa Cooper wrote: >> Alissa Cooper has entered the following ballot position for >> draft-ietf-httpauth-hoba-09: No Objection >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> http://datatracker.ietf.org/doc/draft-ietf-httpauth-hoba/ >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> Good stuff! Couple of comments. >> >> = Logging out = >> >> The intro says >> >> "Logout features can be useful for UAs, so HOBA defines a way to >> close a current HTTP "session", and also a way to close all >> current sessions, even if more than one session is currently >> active from different UAs for the same account." >> >> But the method specified in 6.3 seems to only accomplish the first of >> these (assuming the recommendation about server deletion of cookies >> related to "the session" is meant to be specific to one session). What is >> the method for logging out of all sessions associated with different UAs >> for the same account? > > Oops that's a relic, good catch. Deleted from "...and also a way" to > the end. My code doesn't have that anymore, I didn't check other > folks. We could always add it back later if needed, it'd just be one > more .well-knonw/hoba thing. (And in case you ask, sorry but I forget > when/why we dropped that or if it was because it didn't work or out > of laziness or someone's objection:-) > >> >> = Section 6.1 = >> >> Either the device identifier/device identifier type bits are >> underspecified, or it's not clear to me how they are meant to be used. >> What other device identifier types are expected to be used in the future, >> such that a registry of them is necessary? To me it seems like you would >> want UAs/users to take some care with the precision of the device >> identifiers shared with servers -- e.g., "Alissa's laptop" seems like it >> could be useful and fairly safe, whereas "IMEI 013584009812219" seems >> like total overkill and a bad idea. (As an aside, it might be good to >> provide some guidance about this in the document.) The creation of the >> registry makes me wonder if more structured device identifiers of the >> IMEI-ilk are envisioned, and if so what the purpose of them is expected >> to be? > > Nobody had mentioned IMEIs but that's a very good point since most > devices have something like that it'd be bad to use. The idea of the > registry for dids was that they might be part of the registration > flow that a site used (hence not specified here), so e.g. account > creation for phones might differ from that for tablets or laptops. > (And no, I don't think we yet know enough to do a good job on defining > those right now, so how to use this well would be a part of the > experiment I figure. And now I'm hoping we don't get asked to say > all that in the draft;-) > > I added text about possible privacy issue in both 8.1 and 9.5. > > 8.1, NEW: > > Device identifiers are intended to specify classes of device in a way > that can assist with registration and with presentation to the user > of information about previous sessions, e.g. last login time. > > Device identifier types MUST NOT be privacy sensitive, with values > that would allow tracking a user in unexpected ways. In particular, > using an device identifier type that is analogous to the > International Mobile Equipment Identifier (IMEI) would be a really > bad idea and is the reason for the MUST NOT above. In that case > "mobile phone" could be an acceptable choice. > > If possible, implementations ought encourage use of device identifier > values that are not personally identifying except for the user > concerned, for example "Alice's mobile" is likely to be chosen and is > somewhat identifying but "Alice's phone: UUID 1234-5567-89abc-def0" > would be a very bad choice. > > 9.5, NEW: > > The designated expert for this registry is to carefully pay attention > to the notes on this field in Section 8.1, in particular the "MUST > NOT" stated therein. > > Happy to wordsmith that some more and we probably will want to. > > (Isn't it interesting how even those of us who care about this kind of > thing can miss it entirely;-) > Good catch, thanks Alissa. >> >> Also, I would suggest >> >> s/if absent then the "string" form of device identifier MUST be used./if >> absent then the "string" form of device identifier defined in Section 9.5 >> MUST be used. > > Sure > >> >> = Section 8 = >> >> "Binding my CPK with someone else's account would be fun and >> profitable so SHOULD be appropriately hard." >> >> Sarcasm translates pretty poorly across cultures. I would suggest saying >> what you actually mean here. > > Wasn't meant to be sarcastic at all. I guess it is a little opaque but > surely the threat is so obvious that the "fun and profit" colloquialism > is ok. I think it's better to replace this text, I agree with Alissa that other cultures may have problems with it. Thanks, Kathleen > >> >> = Section 8.2 = >> >> If you want to leave in the LinkedIn reference, or any specific example, >> it needs a citation. > > Yep, I added one to the working copy. It's wikipedia but I've wrangled > that with the RFC editor before via the wiki permanent URL feature:-) > > Cheers, > S. > > >> >>
- [http-auth] Alissa Cooper's No Objection on draft… Alissa Cooper
- Re: [http-auth] Alissa Cooper's No Objection on d… Stephen Farrell
- Re: [http-auth] Alissa Cooper's No Objection on d… Kathleen Moriarty
- Re: [http-auth] Alissa Cooper's No Objection on d… Spencer Dawkins at IETF
- Re: [http-auth] Alissa Cooper's No Objection on d… Kathleen Moriarty
- Re: [http-auth] Alissa Cooper's No Objection on d… Stephen Farrell
- Re: [http-auth] Alissa Cooper's No Objection on d… Spencer Dawkins at IETF
- Re: [http-auth] Alissa Cooper's No Objection on d… Martin J. Dürst
- Re: [http-auth] Alissa Cooper's No Objection on d… Alissa Cooper