IETF Logo Mail Archive

Re: [http-auth] Alissa Cooper's No Objection on draft-ietf-httpauth-hoba-09: (with COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 08 January 2015 00:39 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09EC91A8777; Wed, 7 Jan 2015 16:39:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzfD4kt-s6rd; Wed, 7 Jan 2015 16:39:10 -0800 (PST)
Received: from mail-qg0-x22d.google.com (mail-qg0-x22d.google.com [IPv6:2607:f8b0:400d:c04::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB70F1A876F; Wed, 7 Jan 2015 16:39:09 -0800 (PST)
Received: by mail-qg0-f45.google.com with SMTP id z107so66576qgd.4; Wed, 07 Jan 2015 16:39:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=NOlCfQwh/v12PIcPaPSn0/2B5KE9OLO26ZB0b8OuQP8=; b=b+Ofp9x+q0PACoidWYK0igv6pHPqYtn1QO6dKEGbXAnPY5lkf2ejZ/mlBjGtol1bKM 0i2V6ZBQq3zAB1qDkIpwSEQtAVCM1rEAtMWsnJrP7U/Bw/PCDK1L95pIV3+kKGqxRbUt wX8q1VHOyxmBWKxPRcSy943g5aSLctgOpSXeJTCfyNMKpv84k6d2tm8kmvty6lXxA0Xk xNsW4FmjfQryJHlD5XeVVYP6ZjZyIHUeCscN1H0QaYWN7T2lljhY8F3L+Mvo8AcTNx8G TCxZOsEVGJKkc7VgqVArJWg32l8khazAG1JFk5L6eZ0N7VljDGI7PnyJthdqAtk2IHcB ntzQ==
X-Received: by 10.224.50.75 with SMTP id y11mr9867709qaf.89.1420677549134; Wed, 07 Jan 2015 16:39:09 -0800 (PST)
Received: from [192.168.1.3] (209-6-114-252.c3-0.arl-ubr1.sbo-arl.ma.cable.rcn.com. [209.6.114.252]) by mx.google.com with ESMTPSA id u14sm2607404qau.37.2015.01.07.16.39.07 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 07 Jan 2015 16:39:07 -0800 (PST)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Google-Original-From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (11D257)
In-Reply-To: <54ADBD79.4090201@cs.tcd.ie>
Date: Wed, 07 Jan 2015 19:39:09 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <BA90127E-469F-4882-B5BD-817715067C2A@gmail.com>
References: <20150107222027.18377.83227.idtracker@ietfa.amsl.com> <54ADBD79.4090201@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/gBt4JGESr86MmasiifVwrJbzHkg
Cc: "httpauth-chairs@tools.ietf.org" <httpauth-chairs@tools.ietf.org>, "draft-ietf-httpauth-hoba.all@tools.ietf.org" <draft-ietf-httpauth-hoba.all@tools.ietf.org>, Alissa Cooper <alissa@cooperw.in>, "http-auth@ietf.org" <http-auth@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [http-auth] Alissa Cooper's No Objection on draft-ietf-httpauth-hoba-09: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jan 2015 00:39:13 -0000


Sent from my iPhone

> On Jan 7, 2015, at 6:12 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
> 
> Hiya,
> 
> Two non-trivial changes here, see below, but also please check that
> though, working copy is at [1], diff vs. -09 at [2] as usual.
> 
>   [1] https://down.dsg.cs.tcd.ie/misc/draft-ietf-httpauth-hoba-10.txt
>   [2]
> https://tools.ietf.org/rfcdiff?url1=draft-ietf-httpauth-hoba-09.txt&url2=https://down.dsg.cs.tcd.ie/misc/draft-ietf-httpauth-hoba-10.txt
> 
>> On 07/01/15 22:20, Alissa Cooper wrote:
>> Alissa Cooper has entered the following ballot position for
>> draft-ietf-httpauth-hoba-09: No Objection
>> 
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>> 
>> 
>> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>> 
>> 
>> The document, along with other ballot positions, can be found here:
>> http://datatracker.ietf.org/doc/draft-ietf-httpauth-hoba/
>> 
>> 
>> 
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>> 
>> Good stuff! Couple of comments.
>> 
>> = Logging out =
>> 
>> The intro says
>> 
>> "Logout features can be useful for UAs, so HOBA defines a way to
>>      close a current HTTP "session", and also a way to close all
>>      current sessions, even if more than one session is currently
>>      active from different UAs for the same account."
>> 
>> But the method specified in 6.3 seems to only accomplish the first of
>> these (assuming the recommendation about server deletion of cookies
>> related to "the session" is meant to be specific to one session). What is
>> the method for logging out of all sessions associated with different UAs
>> for the same account?
> 
> Oops that's a relic, good catch. Deleted from "...and also a way" to
> the end. My code doesn't have that anymore, I didn't check other
> folks. We could always add it back later if needed, it'd just be one
> more .well-knonw/hoba thing. (And in case you ask, sorry but I forget
> when/why we dropped that or if it was because it didn't work or out
> of laziness or someone's objection:-)
> 
>> 
>> = Section 6.1 =
>> 
>> Either the device identifier/device identifier type bits are
>> underspecified, or it's not clear to me how they are meant to be used.
>> What other device identifier types are expected to be used in the future,
>> such that a registry of them is necessary? To me it seems like you would
>> want UAs/users to take some care with the precision of the device
>> identifiers shared with servers -- e.g., "Alissa's laptop" seems like it
>> could be useful and fairly safe, whereas "IMEI 013584009812219" seems
>> like total overkill and a bad idea. (As an aside, it might be good to
>> provide some guidance about this in the document.) The creation of the
>> registry makes me wonder if more structured device identifiers of the
>> IMEI-ilk are envisioned, and if so what the purpose of them is expected
>> to be?
> 
> Nobody had mentioned IMEIs but that's a very good point since most
> devices have something like that it'd be bad to use. The idea of the
> registry for dids was that they might be part of the registration
> flow that a site used (hence not specified here), so e.g. account
> creation for phones might differ from that for tablets or laptops.
> (And no, I don't think we yet know enough to do a good job on defining
> those right now, so how to use this well would be a part of the
> experiment I figure. And now I'm hoping we don't get asked to say
> all that in the draft;-)
> 
> I added text about possible privacy issue in both 8.1 and 9.5.
> 
> 8.1, NEW:
> 
>   Device identifiers are intended to specify classes of device in a way
>   that can assist with registration and with presentation to the user
>   of information about previous sessions, e.g.  last login time.
> 
>   Device identifier types MUST NOT be privacy sensitive, with values
>   that would allow tracking a user in unexpected ways.  In particular,
>   using an device identifier type that is analogous to the
>   International Mobile Equipment Identifier (IMEI) would be a really
>   bad idea and is the reason for the MUST NOT above.  In that case
>   "mobile phone" could be an acceptable choice.
> 
>   If possible, implementations ought encourage use of device identifier
>   values that are not personally identifying except for the user
>   concerned, for example "Alice's mobile" is likely to be chosen and is
>   somewhat identifying but "Alice's phone: UUID 1234-5567-89abc-def0"
>   would be a very bad choice.
> 
> 9.5, NEW:
> 
>   The designated expert for this registry is to carefully pay attention
>   to the notes on this field in Section 8.1, in particular the "MUST
>   NOT" stated therein.
> 
> Happy to wordsmith that some more and we probably will want to.
> 
> (Isn't it interesting how even those of us who care about this kind of
> thing can miss it entirely;-)
> 
Good catch, thanks Alissa.
>> 
>> Also, I would suggest
>> 
>> s/if absent then the "string" form of device identifier MUST be used./if
>> absent then the "string" form of device identifier defined in Section 9.5
>> MUST be used.
> 
> Sure
> 
>> 
>> = Section 8 =
>> 
>> "Binding my CPK with someone else's account would be fun and
>>   profitable so SHOULD be appropriately hard."
>> 
>> Sarcasm translates pretty poorly across cultures. I would suggest saying
>> what you actually mean here.
> 
> Wasn't meant to be sarcastic at all. I guess it is a little opaque but
> surely the threat is so obvious that the "fun and profit" colloquialism
> is ok.
I think it's better to replace this text, I agree with Alissa that other cultures may have problems with it.

Thanks,
Kathleen 
> 
>> 
>> = Section 8.2 =
>> 
>> If you want to leave in the LinkedIn reference, or any specific example,
>> it needs a citation.
> 
> Yep, I added one to the working copy. It's wikipedia but I've wrangled
> that with the RFC editor before via the wiki permanent URL feature:-)
> 
> Cheers,
> S.
> 
> 
>> 
>>

v2.23.0 | Report a Bug | By Email