Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 06 January 2015 14:48 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 377DC1A8839; Tue, 6 Jan 2015 06:48:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rtO8D1iIhJkE; Tue, 6 Jan 2015 06:48:13 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 534091A87AE; Tue, 6 Jan 2015 06:48:13 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id C0478BE64; Tue, 6 Jan 2015 14:48:11 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IcqNKdEnmk_v; Tue, 6 Jan 2015 14:48:11 +0000 (GMT)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 6219BBE7C; Tue, 6 Jan 2015 14:48:09 +0000 (GMT)
Message-ID: <54ABF5A9.3090700@cs.tcd.ie>
Date: Tue, 06 Jan 2015 14:48:09 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Barry Leiba <Barry.Leiba@huawei.com>, Barry Leiba <barryleiba@computer.org>
References: <20150105174855.11968.51931.idtracker@ietfa.amsl.com> <54AAE9C7.8010105@cs.tcd.ie> <CALaySJ+j2u3_amk-BSjDgRvoGKFjsqn8k1Lm8pN0dW5dCXck3g@mail.gmail.com> <9C2AA051DD3C464F8ADEE38AEE6C26AD18C9E7BA@dfweml704-chm> <54AB4FFF.4040402@cs.tcd.ie> <CALaySJ+QY12hbrn0SkzwCakcBR3mqSD7XkHAQEspogafVq1_-g@mail.gmail.com> <54ABAF30.8040207@cs.tcd.ie> <9C2AA051DD3C464F8ADEE38AEE6C26AD18C9E90C@dfweml704-chm>
In-Reply-To: <9C2AA051DD3C464F8ADEE38AEE6C26AD18C9E90C@dfweml704-chm>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/rLFMoI2wOX6Pvg0BkiuoeqEY18Y
Cc: "draft-ietf-httpauth-hoba.all@tools.ietf.org" <draft-ietf-httpauth-hoba.all@tools.ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "httpauth-chairs@tools.ietf.org" <httpauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jan 2015 14:48:17 -0000
Hiya, On 06/01/15 14:05, Barry Leiba wrote: >>> This document would benefit from some section somewhere giving a >>> set of clear, numbered steps, saying who sends, who receives, and >>> who does what with what input at each step. I will propose such >>> text. >> >> And I'll happily look at that when it's available. (And hope to not >> have to wait much:-) > > And here we go; Thanks for being timely. > not a lot, but I think it really helps. Of course, > adjust it if I got anything wrong or worded inaccurately. Note how > the section references jump around -- that's why I found it hard to > follow, and why I think this is a big help. I'm suggesting making > this Section 1.3 because I think having it up front makes it the most > useful. Yeah, TBH I think that's superflous but harmless and doesn't replicate text already elsewhere so I've put it in (same [1,2] as before work) almost as-is. Cheers, S. [1] https://down.dsg.cs.tcd.ie/misc/draft-ietf-httpauth-hoba-10.txt [2] https://tools.ietf.org/rfcdiff?url1=draft-ietf-httpauth-hoba-09.txt&url2=https://down.dsg.cs.tcd.ie/misc/draft-ietf-httpauth-hoba-10.txt > > ------------------------------------- 1.3 An Overview of HOBA-http > Authentication > > HOBA authentication uses the HTTP authentication framework defined in > [RFC7235], using a number of HOBA-specific elements. This is a > high-level overview of HOBA-http authentication: > > 1. If the user is not already registered with the web-origin and > realm it is trying to access, the "joining" process is invoked (see > Section 6.1). This creates a key pair and makes the CPK known to the > server. > > 2. The client connects to the server and makes a request, and the > server's response includes a WWW-Authenticate header field that > contains the "HOBA" auth-scheme, along with associated parameters > (see Section 3). > > 3. The client uses the challenge from the HOBA auth-scheme > parameters, along with other information it knows about the > web-origin and realm, to create and sign a HOBA-TBS string (see > Section 2). > > 4. The client creates a HOBA client-result (HOBA-RES), using the > signed HOBA-TBS for the "sig" value (see Section 2). > > 5. The client includes the Authorization header field in its next > request, using the "HOBA" auth-scheme and putting the HOBA > client-result in an auth-param named "result" (see Section 3). > > 6. The server authenticates the HOBA client-result (see Section > 5.3). > > 7. Typically, the server's response includes a session cookie that > allows the client to indicate its authentication state in future > requests (see Section 1.1). > > [You might include an example here, as Julian suggests. Or perhaps > you might put an example in an appendix, and just cite it here.] > > ------------------------------------- > > Please let me know what you think. > > Barry >
- [http-auth] Barry Leiba's Discuss on draft-ietf-h… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Julian Reschke
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Kathleen Moriarty
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Michael Thomas
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Michael Thomas
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Martin J. Dürst
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Kathleen Moriarty