IETF Logo Mail Archive

Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt

Yutaka OIWA <y.oiwa@aist.go.jp> Mon, 20 July 2015 08:53 UTC

Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 390C81A1A80 for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 01:53:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g1SDg6k8sKyT for <http-auth@ietfa.amsl.com>; Mon, 20 Jul 2015 01:53:54 -0700 (PDT)
Received: from APAC01-HK1-obe.outbound.protection.outlook.com (mail-hk1on0097.outbound.protection.outlook.com [134.170.140.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 175011A1A87 for <http-auth@ietf.org>; Mon, 20 Jul 2015 01:53:54 -0700 (PDT)
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;
Received: from [31.133.177.67] (31.133.177.67) by OS2PR01MB0204.jpnprd01.prod.outlook.com (10.161.78.142) with Microsoft SMTP Server (TLS) id 15.1.213.14; Mon, 20 Jul 2015 08:53:49 +0000
Message-ID: <55ACB70B.1070603@aist.go.jp>
Date: Mon, 20 Jul 2015 17:53:31 +0900
From: Yutaka OIWA <y.oiwa@aist.go.jp>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, "http-auth@ietf.org" <http-auth@ietf.org>
References: <20150531154835.3639.52041.idtracker@ietfa.amsl.com> <CAGL6epJ=dQw9FZS7aUX3B6oLJUw-s9+ARMbrjjZ0K+283inCkg@mail.gmail.com>
In-Reply-To: <CAGL6epJ=dQw9FZS7aUX3B6oLJUw-s9+ARMbrjjZ0K+283inCkg@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [31.133.177.67]
X-ClientProxiedBy: DM2PR10CA0081.namprd10.prod.outlook.com (10.141.241.49) To OS2PR01MB0204.jpnprd01.prod.outlook.com (25.161.78.142)
X-Microsoft-Exchange-Diagnostics: 1; OS2PR01MB0204; 2:q3ZrpLyhL5VFWE2Mxs1MHRrxBNDHSa0rfBeTZArjKjGyiehHk87HSk9116P5CXAc; 3:gfvCePAiwPa4a+K7fmDL/Koe4pBbDxrJpWZprMbvdv5HdmqSg8+d2q2kay+ooOmvCDyv5KZP1dZzFiYvAZvDRSbFFh0l0cv6gh5WJRekpiEciJADx790NmdgLmJz+EUiE2LjUO50JuTpW9h5JhxbKQ==; 25:Lbbjox2hEdGABli6LzO7a3vI5Dx+oqu3vhLoE8DvH4NM25XcUwgnIvqq0jeZD1wJfgsW5OeYHuqPsLnmCGor0AOYZlVOsl/Rcmecgina6fFqIrXSniQzUj/gok8JExdQRjgXNZGrO4IpnCB4sUodAgu0tvhzIcBZEy/MpHCjtao58X2IuqGSb62tmhM06DOhyq2re8NyHQAGFIl5mM5WPCqA1TuUkZZsXHxf0+g37w6CN9zhHWb/2kbW0Ea8vFiwZHxsKVNHEHjwjxCjZm8R1A==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:OS2PR01MB0204;
X-Microsoft-Exchange-Diagnostics: 1; OS2PR01MB0204; 20:g0QAtDDoV152n/4LODHB3JzOCSK3/9mEPBH3pWyZBFD/swKxxw8r+ZcL/RZUAmQsqWki7itYBw4E75wqQW3LbA7YF7iwco0WnmElnS6IPM7lAgo4FVacNjODjKfiUYm+otNthO7ivnnf9DnYBMRYUuLBvZLc2skIKdjA+hg0QfdqP0qgwWkkohqmzKbJSgQtCQwlFDBsF4GMPn32BAJGv750xrOEoDlacBHD+A29AT86ic6bx0kD4LglDwbrNIcfErq3O3CSvYTwQl+RL/Wg/vJ+1kwJJ+jv42lWTusuI8aELKAI4gWtVNLq37ErCLsfGjNvy+1Eimkyld/l6NGBFuEXyibaVAq51bnQyXrVVg8JoKdF3QE7gKeOQIlZLRrhnf8msZqD5NzhBwywjXV3umP8D07HBC+l6T6WXvrefAEG/0uunSCeMOooWb4KD97r/FVVIVZrFEqj2Nr3gkGFEa46GAuKzVZamcTRWbXz1WMJgVkt2Ssy3knaBIl/3MFxBIyjLFu58SrmfBMBr/tamxWl3yAfWwZmm78vAbKrsoNuZ+qALjMjZmaVqUmdP9jIpOI528jsVDtQeIR+EHGmagmP6OJdGsnh18wZJDQBgyA=; 4:4NBo+rwUAzlGNCSvhWRILV/ID/uHamIPY/L//IW5zcIWnWQGYUE5K0JptYVmOlEohb/dlaIWOycjkNM1OyHyTRU/2ZF4E4/oLIInmADWgGQ5fqw6coU2Yny24mMLwZDNckKDHgWQHxTYisuHmGQm/nLxuvZgL5z/4d4W+PadX7pcHkD0KgXe+I+lhgY+IKHWQTxeTbRwScvXP6MielGkES/xScy7aDlF5WbW64nN8MfrCbHpqNghclBlgOdM0h5GgPMxb8xADTnmMg79WaTwsw==
OS2PR01MB0204: X-MS-Exchange-Organization-RulesExecuted
X-Microsoft-Antispam-PRVS: <OS2PR01MB02040065C7CE8B85240BA32CA0850@OS2PR01MB0204.jpnprd01.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(5005006)(3002001); SRVR:OS2PR01MB0204; BCL:0; PCL:0; RULEID:; SRVR:OS2PR01MB0204;
X-Forefront-PRVS: 0643BDA83C
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(979002)(6049001)(6009001)(377424004)(377454003)(479174004)(2473001)(24454002)(65816999)(54356999)(551544002)(59896002)(230783001)(46102003)(19580405001)(19580395003)(2501003)(50466002)(77096005)(23746002)(47776003)(66066001)(65806001)(92566002)(2950100001)(65956001)(86362001)(40100003)(42186005)(15975445007)(64126003)(33656002)(77156002)(74482002)(122386002)(87976001)(4001350100001)(62966003)(5001960100002)(5001770100001)(80316001)(50986999)(76176999)(36756003)(189998001)(5001920100001)(87266999)(83506001)(107886002)(7099028)(3940600001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:OS2PR01MB0204; H:[31.133.177.67]; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; OS2PR01MB0204; 23:YLR55xNRoMTIB8KZgmZW0AThNywYsrq2vcqKgglr4h04d3SGuYorJNYS2F89bOLnousnRK0r7MXDCbzqoyJPcC+kv+qyMnfjfRKMgT2giWzxQDXh4pVeCSs4KrhxDjn80cjzP5XtwHjtO1GYd3/ATW3bIZW0SCuj+0EWu1rvCJHiyVH4uJFzIcaWqExw4bofi/OPWsZh8fESV3Roq2o4PGT6/ljV7cTopR8CD9r4ZuxW+PM186blqkwBAfoj+BQnEdkP76nBM1GV1bUwQdmfn4Qwx+CVxLU0Fasr5l4MEF9J7kojq8cjfY8IkUCH56uLUeIXsvOBliNm2+QChUIRWv56C1Bur19oR8cezoxd4/L9zWweMOcd5CGZWomVNNYGzwnlSUG27IP/R5tHNi+iPIuUNvOS6fKG3gux8BbsH8TiU+MvwzvKS130XVFI6P71hHLMKaO0+zysv0EDHxAxtvnO3BHVsIjMPOYIGgdK8qaiK/5fBZSlECjS/5Z6P0L+IFdop2t6pJ0ov6wMEGY6SED6gika2khT5F/U2WtqdXygTFh+FbiiQg8Ge1VSXBYpYx+qdh36uZDq+E399krm8CBIR7fT01IQ6SuSD6IXDAPmSEoIseXgcy8sVXrlvtPDMspPMC8kFFeK6Ain/HmfQfJsVVuNEruXY1Zo7WV/ZhC9iEbUyITRoSgYe3yl/0FNEtEZjx41DtT0WpLOdZhGqMzE2PaOWmybgacJnsM6qXEkaXL7jmBnScqgikmIuO4GfDF6hKni8EXt8nYN10OH3GBXVBe/Gnm64SH8shB92xYvDqMRje2pqr5VcJpTWAVfw520Z7e/9egzUPoLd0J98yUrhYCan/2zJcOJk6F41jcaAbW8XwC241tcv3sKSqzVyiIHkP0St/IJ3m+s862vF8cmI8j2YZo9NPiR6GwqqERhGVf7OXaCF17v8eqKvuw1pd85IFfv+G1Zz7ueGMZusOMikERaReayi9PuWxhcPoDolOB81wEXn0jZVbKEosdyoBQ/FCgRCeTq8MqZKTZ2SvbOYmtHzrjNIGtQXLmgrVExgmw2mN8OGOFOUeGl9ERTR8tG4MZxVtygwDkUzYQuVz8EeWMqg4fr2inEgkDBjmFfzyW3sNc/VW90gFyh4flNKzKxAexEmhOqoFOPrWKdyHe3kXt/g2gERdoJLblXkT2Y8fa9mVMUWjEjLxrnBk5kQgK3uTniEa8BMuv2CvgRo2YGDZN9fMICy2bVXE7xSYItfweFJ4hJncymhA2FiZ2AHDeHdqXL3n12I2pCOZH8VMTT1FD9XoTRX58hP/uMA23aIMEsnzHssmtde2uYs4EJuMeTCUEV52Pcp45S+GZm+wP65D/igvSCqKqMzYt7dWQYaRQUIwxtOkrXMeOumErn
X-Microsoft-Exchange-Diagnostics: 1; OS2PR01MB0204; 5:s0FOZlSZoYAM+/hgJdhnJJkjAEFvsGxAmW1P/Bjpegfuw7uTjeAnYFrMtOqos+tNKCGmkv7OoIei2UhSPXwUfI/qY/ud+snCf/VNr56If+3t31YgaGPbH+3NV/qovI+aOAgfuWVnjmX3AO9cE1TsZw==; 24:TkvRPx4HQ8BYMws5LtAJluoYuIIghMIgQcS/3tZA6gHfTMjFSftM/II1oMmjSR2gbQCwiKff9HMqFkMbU1zUmjy8mcFC1hJyq+h5J2fNm6s=; 20:aPNg7iXyr2Yw2ez3FyZUj1Q9O4SEtskx3efgeez6OuQlxuzRUyZPm9bCxAsRudI05VcshJgBl7XYukKzNolc5g==
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: aist.go.jp
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jul 2015 08:53:49.1286 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: OS2PR01MB0204
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/v3FMh3jcshbudiBeSItXOMTSn8s>
Subject: Re: [http-auth] Fwd: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 08:53:57 -0000

Dear HTTPAUTH WG,

the following is my technical comments for the submitted draft.

1. The authentication exchange of the HTTP should be carefully reconsidered.
   It will usually start with unauthenticated request to the server, and
   the response can contain "realm", without any specific discovery mechanisms.

2. The final response for the successful authentication should use
   Authentication-Info header instead of WWW-Authenticate, whose
   spec is under clarification by Julian.
   It's also better that the normal response codes (200 or 401) is
   shown in the exchange examples for easier understanding.

3. Please clarify explicitly how the six-message exchange can be shorten
   on what cases.
   Especially, avoiding re-computation of "public keys" is critical for
   any effective use of public-key-based cryptography (including any
   known PAKE algorithms) on stateless HTTP.
   It will require introduction of something similar to (next-)nonce
   in Digest or "sid" in Mutual and SCRAM, along with replay-preventing
   mechanisms.  It should be clarified how replay attacks can be prevented
   when public keys are reused.

4. There are distinct kinds of responses with different semantics but
   sharing the same "WWW-Authentication: SRP" header, and so kinds of
   requests sharing "Authorization: SRP".
   It should be clarified how each peer will distinguish those kinds of
   messages (e.g. existence or non-existence of client-pop field).
   It will be important for handling (or rejection)
   of malformed messages without any ambiguity (or possible cheating with it).


On 2015/06/01 0:53, Rifaat Shekh-Yusef wrote:
> Hi,
> 
> Yaron and I have just submitted a draft that defines a new authentication
> scheme based on the SRP protocol, to be used with the HTTP Authentication
> Framework.
> We would appreciate any thoughts, reviews, and feedback on this document.
> 
> Regards,
>  Rifaat
> 
> 
> 
> 
> ---------- Forwarded message ----------
> From: <internet-drafts@ietf.org>
> Date: Sun, May 31, 2015 at 11:48 AM
> Subject: New Version Notification for draft-yusef-httpauth-srp-scheme-00.txt
> To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Yaron Sheffer <
> yaronf.ietf@gmail.com>
> 
> 
> 
> A new version of I-D, draft-yusef-httpauth-srp-scheme-00.txt
> has been successfully submitted by Rifaat Shekh-Yusef and posted to the
> IETF repository.
> 
> Name:           draft-yusef-httpauth-srp-scheme
> Revision:       00
> Title:          HTTP Secure Remote Password (SRP) Authentication Scheme
> Document date:  2015-05-31
> Group:          Individual Submission
> Pages:          11
> URL:
> https://www.ietf.org/internet-drafts/draft-yusef-httpauth-srp-scheme-00.txt
> Status:
> https://datatracker.ietf.org/doc/draft-yusef-httpauth-srp-scheme/
> Htmlized:
> https://tools.ietf.org/html/draft-yusef-httpauth-srp-scheme-00
> 
> 
> Abstract:
>    This document defines an HTTP Authentication Scheme that is based on
>    the Secure Remote Password (SRP) protocol.  The SRP protocol is an
>    Augmented Password Authenticated Key Exchange (PAKE) protocol
>    suitable for authenticating users and exchanging keys over an
>    untrusted network.
> 
> 
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> The IETF Secretariat
> 
> 
> 
> _______________________________________________
> http-auth mailing list
> http-auth@ietf.org
> https://www.ietf.org/mailman/listinfo/http-auth
> 

-- 
Yutaka OIWA, Ph.D.               Planning Officer, Research Planning Office
                     Department of Information Technology and Human Factors
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

v2.23.0 | Report a Bug | By Email