Re: [http-auth] Stephen Farrell's Yes on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)
Julian Reschke <julian.reschke@gmx.de> Tue, 17 February 2015 07:34 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD8B81A872E; Mon, 16 Feb 2015 23:34:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PDE2tJE_e-0a; Mon, 16 Feb 2015 23:34:05 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA9CC1A8746; Mon, 16 Feb 2015 23:33:58 -0800 (PST)
Received: from [192.168.2.175] ([84.187.43.210]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0M9fLX-1YHndX22Pf-00CvNT; Tue, 17 Feb 2015 08:33:53 +0100
Message-ID: <54E2EEDE.5050308@gmx.de>
Date: Tue, 17 Feb 2015 08:33:50 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
References: <20150217015202.9887.27442.idtracker@ietfa.amsl.com>
In-Reply-To: <20150217015202.9887.27442.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:we8XK6CYFc5aXg4pVEUBBor+kuUd2hiODINzeaKFruoXy6BBsOZ Ay/cKsG7z8x3RtvkXwDCkQtww06oLHrNvxX1sQFFuHOWaAEAH5wASHX713aYRB0Mt6wHGWS 0RLdtaexVd+oGFzPVki2mG8+zGowQDYrkg2yZPO+O3haWJrTcnG38tNHDoU/EHY+8Nxm06F 9l4nIQCojg58sn0V9c5aA==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/umr2EjHQJ2v_ONO7EeGmp02lFn4>
Cc: http-auth@ietf.org, draft-ietf-httpauth-basicauth-update.all@ietf.org, httpauth-chairs@ietf.org
Subject: Re: [http-auth] Stephen Farrell's Yes on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2015 07:34:06 -0000
On 2015-02-17 02:52, Stephen Farrell wrote: > ... > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > This is a pretty crappy auth scheme, but this is a pretty > good update and fills a need, thanks for the latter:-) Thanks :-) > - section 2: is it worth saying somewhere that you can't > really have >1 proxy-auth happening even if you transit >1 > proxy? Somewhere yes, but not here. When we do RFC7235bis, I'd like to get the proxy auth parts some attention, and that needs feedback from people who actually do have some experience with it (which I do not). > - section 2, last para: I assume this is because client > and/or server behaviour varies for this? If so, maybe it'd Yes. > be good to give some guidance or add a reference (if a > good one exists). If there's some other reason, it'd be > good to say too. I don't have a reference nor guidance. UAs behave differently and are allowed to do so. I don't think we can say something beyond that. > - section 4: would it be worth adding some guidance that > re-use of e.g. entreprise login/SSO passwords for > proxy-auth is particularly dodgy as is not protected via > TLS? There's a lot of things that can be said about the topic of password choice and re-use. Is it specific to Basic auth? I'm not opposed to add something, but this sounds like an open-ended topic. If you have a concrete proposal for text, I'm all ears :-) Best regards, Julian
- [http-auth] Stephen Farrell's Yes on draft-ietf-h… Stephen Farrell
- Re: [http-auth] Stephen Farrell's Yes on draft-ie… Julian Reschke