IETF Logo Mail Archive

Re: [http-auth] Quick review of draft-ietf-httpauth-rest-auth-01

Julian Reschke <julian.reschke@gmx.de> Thu, 07 November 2013 01:57 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B5CC21E81A6 for <http-auth@ietfa.amsl.com>; Wed, 6 Nov 2013 17:57:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.347
X-Spam-Level:
X-Spam-Status: No, score=-104.347 tagged_above=-999 required=5 tests=[AWL=-1.748, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NI2ynOLml2+p for <http-auth@ietfa.amsl.com>; Wed, 6 Nov 2013 17:57:11 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id ADD0B11E81FA for <http-auth@ietf.org>; Wed, 6 Nov 2013 17:57:08 -0800 (PST)
Received: from [31.133.151.131] ([31.133.151.131]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0M1Fe4-1VtRLX1bgG-00tBd7 for <http-auth@ietf.org>; Thu, 07 Nov 2013 02:57:07 +0100
Message-ID: <527AF374.5040109@gmx.de>
Date: Wed, 06 Nov 2013 17:57:08 -0800
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, http-auth@ietf.org
References: <20131106162924.GB8185@LK-Perkele-VII>
In-Reply-To: <20131106162924.GB8185@LK-Perkele-VII>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:jeiUb+yOE8bxizerztBGKFpgJLXOHkRfhWXooxkLGD4zXGamQ2C 9Y4slan8qQ8Un9h9Xa8e3+yD3s+Wcpt0f9N6wYd3fcMidaE+HQrB6xgeDbyFgJ+MAZHiPLG IHNDwx0HmAcWoEeKvNCAA3DhTT2QEEsRVS/bX54m92+7guKe9mkFJbgjG4k1d7XEyROG65a 0uFse6NzAa4W6U31oVa5Q==
Subject: Re: [http-auth] Quick review of draft-ietf-httpauth-rest-auth-01
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 01:57:31 -0000

On 2013-11-06 08:29, Ilari Liusvaara wrote:
>> 1.  Introduction
>>
>>     We propose a pattern for HTTP [RFC2616] [TODO: add reference to
>>     HTTP/2.0 as well?] authentication mechanisms that, by being
>>     "RESTful", obtains these goals naturally.
>
> Reference for HTTP/2.0 would be draft-ietf-httpbis-http2

Please stop referencing RFC 2616. HTTPbis is past IETF LC.

>> 3.1.  Negotiable Parameters
>>
>> 3.1.2.  WWW-Authenticate Header Value Prefix Syntax
>>
>>     For a DIGEST-like mechanism it might look like "WWW-Authenticate: RA-
>>     Digest-SHA-256 tls-server-end-point session-ID no HE4SgWGrd/
>>     3+O7t16HqusA==".  For example, the mechname for the Kerberos V5 GSS-
>>     API mechanism might be "gss-krb5", and a WWW-Authenticate header
>>     value for it might look like "WWW-Authenticate: RA-gss-krb5
>>     http://foo.example/restauth-login tls-server-end-point channel-bound-
>>     session-ID r=no".
>
> These examples don't look to conform to the grammar given (missing r=, s=,
> etc...)
> ...

Furthermore, the challenge does not conform to the grammar defined in 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-24.html#challenge.and.response> 
(nor 
<http://greenbytes.de/tech/webdav/rfc2617.html#access.authentication.framework>).

Best regards, Julian

v2.23.0 | Report a Bug | By Email