Re: [http-auth] [Mutual] (due Aug 28) Mutual auth issues (part 1)
Sophie Bremer <sophie.bremer@netzkonform.de> Sat, 15 August 2015 05:33 UTC
Return-Path: <sophie.bremer@netzkonform.de>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E1021A8713 for <http-auth@ietfa.amsl.com>; Fri, 14 Aug 2015 22:33:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.851
X-Spam-Level:
X-Spam-Status: No, score=-0.851 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CjClsjIY-xgd for <http-auth@ietfa.amsl.com>; Fri, 14 Aug 2015 22:33:07 -0700 (PDT)
Received: from mx02.posteo.de (mx02.posteo.de [89.146.194.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E029E1A6F3F for <http-auth@ietf.org>; Fri, 14 Aug 2015 22:33:06 -0700 (PDT)
Received: from dovecot04.posteo.de (unknown [185.67.36.27]) by mx02.posteo.de (Postfix) with ESMTPS id EC51425B17CF; Sat, 15 Aug 2015 07:33:03 +0200 (CEST)
Received: from mail.posteo.de (localhost [127.0.0.1]) by dovecot04.posteo.de (Postfix) with ESMTPSA id 3mtVf73CCJzFpW3; Sat, 15 Aug 2015 07:33:03 +0200 (CEST)
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset="utf-8"
From: Sophie Bremer <sophie.bremer@netzkonform.de>
In-Reply-To: <OS1PR01MB0200719F947ACCD628FF3D7DA07D0@OS1PR01MB0200.jpnprd01.prod.outlook.com>
Date: Sat, 15 Aug 2015 07:34:28 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <1CC8E622-E8E2-474E-B7BF-CACB84E176DD@netzkonform.de>
References: <OS1PR01MB0200719F947ACCD628FF3D7DA07D0@OS1PR01MB0200.jpnprd01.prod.outlook.com>
To: Yutaka OIWA <y.oiwa@aist.go.jp>
X-Mailer: Apple Mail (2.1085)
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/hg4IEiMaQuttq5rdmgKPflQrLY4>
Cc: Mutual auth contact <mutual-auth-contact-ml@aist.go.jp>, "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] [Mutual] (due Aug 28) Mutual auth issues (part 1)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Aug 2015 05:33:09 -0000
Hi Yutaka, answers below: > ==== draft-ietf-httpauth-mutual ==== > > = Section 3.1 = > > [P1] Is adoption of RFC5987 OK? > https://github.com/yoiwa/httpauth-mutual/issues/1 It looks good. Even so pwd-hash*=UTF-8''ABCDEF or other token values do not make sense, the involved parties should support it in favor of future flexibility. > [P2] The encoding is fixed to UTF-8, without any language. > (justification: it is not an on-line negotiable parameter, > and the new protocol does not need to consider older > clients.) > https://github.com/yoiwa/httpauth-mutual/issues/2 This makes implementation at the low level easier, so I find it reasonable. > = Section 4: Messages = > > [P3] Are the reserved parameter names making sense? > https://github.com/yoiwa/httpauth-mutual/issues/3 -- 4.3 401-KEX-S1 path: (non-mandatory, string) specifies which path in the URI space the same authentication is expected to be applied. The value is a space-separated list of URIs, in the same format as it was specified in domain parameter [RFC2617] for the Digest authentications. -- What is the reason to use the parameter name "path" instead of "domain"? Wiktionary says: -- domain (plural domains) • A geographic area owned or controlled by a single person or organization. The king ruled his domain harshly. • A field or sphere of activity, influence or expertise. Dealing with complaints isn't really my domain: get in touch with customer services. His domain is English history. • A group of related items, topics, or subjects. -- I am in favor of the name "domain" for continuity between authentication specs as you may have guessed by now. :) > Thank you for your cooperation. Regards, Sophie
- [http-auth] [Mutual] (due Aug 28) Mutual auth iss… Yutaka OIWA
- Re: [http-auth] [Mutual] (due Aug 28) Mutual auth… Sophie Bremer
- Re: [http-auth] [Mutual] (due Aug 28) Mutual auth… Alexey Melnikov
- Re: [http-auth] [Mutual] (due Aug 28) Mutual auth… Yutaka OIWA