Re: [http-auth] FW: New Version Notification for draft-woodworth-json-http-auth-00.txt
"Woodworth, John R" <John.Woodworth@CenturyLink.com> Mon, 06 March 2017 06:50 UTC
Return-Path: <John.Woodworth@CenturyLink.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18A8212711D for <http-auth@ietfa.amsl.com>; Sun, 5 Mar 2017 22:50:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d2ZhVxbXJTrt for <http-auth@ietfa.amsl.com>; Sun, 5 Mar 2017 22:50:06 -0800 (PST)
Received: from lxomp52w.centurylink.com (lxomp52w.centurylink.com [155.70.50.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D43F127A90 for <http-auth@ietf.org>; Sun, 5 Mar 2017 22:50:05 -0800 (PST)
Received: from lxomavmpc030.qintra.com (lxomavmpc030.qintra.com [151.117.207.30]) by lxomp52w.centurylink.com (8.14.8/8.14.8) with ESMTP id v266o4b7055880 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 6 Mar 2017 00:50:04 -0600
Received: from lxomavmpc030.qintra.com (unknown [127.0.0.1]) by IMSA (Postfix) with ESMTP id 5AC421E0049; Mon, 6 Mar 2017 00:49:59 -0600 (CST)
Received: from lxomp06u.corp.intranet (unknown [151.117.18.14]) by lxomavmpc030.qintra.com (Postfix) with ESMTP id 3DD0D1E0032; Mon, 6 Mar 2017 00:49:59 -0600 (CST)
Received: from lxomp06u.corp.intranet (localhost [127.0.0.1]) by lxomp06u.corp.intranet (8.14.8/8.14.8) with ESMTP id v266nxtJ006927; Mon, 6 Mar 2017 00:49:59 -0600
Received: from vodcwhubex501.ctl.intranet (vodcwhubex501.ctl.intranet [151.117.206.27]) by lxomp06u.corp.intranet (8.14.8/8.14.8) with ESMTP id v266nwWH006924 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 6 Mar 2017 00:49:58 -0600
Received: from PODCWMBXEX501.ctl.intranet ([169.254.1.220]) by vodcwhubex501.ctl.intranet ([151.117.206.27]) with mapi id 14.03.0294.000; Mon, 6 Mar 2017 00:49:58 -0600
From: "Woodworth, John R" <John.Woodworth@CenturyLink.com>
To: "'Manger, James'" <James.H.Manger@team.telstra.com>, "http-auth@ietf.org" <http-auth@ietf.org>
Thread-Topic: [http-auth] FW: New Version Notification for draft-woodworth-json-http-auth-00.txt
Thread-Index: AdKWIe474hOGmOJRSkapVznP/gi4agAEvilQ
Date: Mon, 06 Mar 2017 06:49:57 +0000
Message-ID: <A05B583C828C614EBAD1DA920D92866BD06ED513@PODCWMBXEX501.ctl.intranet>
References: <SYXPR01MB1615649D5B909D36B080A8D9E52C0@SYXPR01MB1615.ausprd01.prod.outlook.com>
In-Reply-To: <SYXPR01MB1615649D5B909D36B080A8D9E52C0@SYXPR01MB1615.ausprd01.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [151.117.206.8]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/rneLGQuamH83AIe_jFAWpZZ5KB4>
Cc: "Ballew, Dean" <Dean.Ballew@CenturyLink.com>
Subject: Re: [http-auth] FW: New Version Notification for draft-woodworth-json-http-auth-00.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 06:50:07 -0000
-----Original Message----- From: Manger, James [mailto:James.H.Manger@team.telstra.com] Hi James, First, thank you for the detailed feedback it is very much appreciated. It's actually eerie how your comments mirror our own internal discussions on many points. > > The "password" variant sends the same info as BASIC, just with a > different syntax. It is hard to see the point. Surely a normal > BASIC header could be passed to client-side scripting just as > easily as a re-formatted version? > > The "challenge" variant looks like it is trying to mimic the > DIGEST scheme, with a different syntax, and with the crypto > applied slightly differently. The crypto changes look more > dangerous than helpful. DIGEST at least separated the concepts > of a Hash from a MAC (Keyed Digest), even if the latter used > the former in too simple a way. In DIGEST the password is hashed > with the username and realm to form a secret key, but not in > "challenge". A new spec today should use a proper MAC algorithm, > such as HMAC. > Both of these similarities are actually intentional. One of our goals is to get a "usable framework" which is both JSON based and can be easily extended. Our rational for including something basic-ish and digest-ish was that a framework not having comparable features was dead out of the gate. Early versions actually used "basic" and "digest" types and borrowed even more heavily from each. It was decided to avoid being *too* close in an attempt to cut down on confusion. Perhaps we should make this point obvious in the introduction? > > Quirks from DIGEST seem to be repeated in "challenge", such as > separate "nonce" and "opaque" members despite both being: chosen > by the server; opaque to the client; hashed into the response; > and returned to the server. > The opaque value is not strictly necessary for the authentication portion and is expected to be _additional_ easily validated data the server can use to simplify its session management. To keep implementation requirements down for the server, our thought was if the nonce (and other session data) could be self validated, a table would not _need_ to be kept. With no table, no shared memory or other complications would need to be done among the multiple threads and/ or multiple servers. This opens itself to something as simple as a CGI script. > > The highly recommended "nonce" construction looks poor. A 36-char > random UUID just to provide uniqueness within the 10µs window of > the time component (eg 1488442706.13154) is overkill. > Funny, this was added to avoid the whole "this is cryptographically too weak" discussion :) . > > Hashing a > concatenation of nonce parts and a secret is the sort of ad hoc > crypto that should be avoided. Use a proper MAC algorithm instead. > We are definitely open to something like HMAC, our target here was again to keep implementation effort minimal. Thankfully, we have really good MIT compatible libraries for the project which spawned this draft so I guess it's reasonable to assume this is not an issue. We just wanted to get additional input from this group before moving in that direction. > > JSON has arrays so why not use an array for the "algorithms" > member, instead of a comma-separated string with a rule to ignore > whitespace? > No strong reason. Our rational was to keep the object from becoming too much of a nested mess but we are in agreement here. > > The mix of base64, lowercase-hex, and UUID encoding; plus commas, > slashes, hyphens, and colons as separators is a bit messy. > I guess the nonce could just as easily be a sub-object. Somehow, this was expected to allow a developer to run some really simple cli tools to manually dissect, inspect and verify all the parts of the process. As you may have noticed, 'simplicity in implementation' is a common theme. It sounds like crypto comes easily to you but I have found it to be a difficult topic for many developers. Keeping simple components which can each be easily checked via readily available tools like 'sha256sum' and 'jq' is an attempt to simplify the process. This, in my mind at least should make for fewer conceptual problems and fewer problems makes for less buggy implementations. Having said that, I am always open to being wrong. > > Suggesting window.AuthHandler() as a place to host handlers > (without specifying actual APIs) sounds like it will ruin this > place for use once something interoperable is actually defined. > This is true. As silly as it may sound, we were hoping to keep the page-count down to around 10. We have another draft which is roughly 35 pages and it is difficult to get that much of someone's time for feedback. We are currently sitting at around 15 and every minor detail seems to add 5 pages. That said, we will expand on this topic in hopes we miss shooting either foot. > > Your pretty JSON format with commas at the start of the next line > (instead of the end of the previous line) is a cute convention. > Thanks. I wish I could take credit for it but I found this little gem as part of a code-style requirements doc for contributing to some JavaScript project a while back and have been searching for it again to give proper attribution. It is by far the one JS tip that's saved me the most frustration as trailing commas are simply death waiting to happen };{> . Thanks, John > > { > "type" : "password" > ,"username" : "MyUser" > ,"password" : "MyPassword" > } > > -- > James Manger > -- THESE ARE THE DROIDS TO WHOM I REFER: This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
- [http-auth] FW: New Version Notification for draf… Woodworth, John R
- Re: [http-auth] FW: New Version Notification for … Julian Reschke
- Re: [http-auth] FW: New Version Notification for … Woodworth, John R
- Re: [http-auth] FW: New Version Notification for … Manger, James
- Re: [http-auth] FW: New Version Notification for … Woodworth, John R
- Re: [http-auth] FW: New Version Notification for … Julian Reschke
- Re: [http-auth] FW: New Version Notification for … Woodworth, John R