Re: [http-auth] [saag] [websec] re-call for IETF http-auth BoF
Yutaka OIWA <y.oiwa@aist.go.jp> Tue, 14 June 2011 22:46 UTC
Return-Path: <yutaka-oiwa-aist-temp@g.oiwa.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F2E611E8144 for <http-auth@ietfa.amsl.com>; Tue, 14 Jun 2011 15:46:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.943
X-Spam-Level:
X-Spam-Status: No, score=-2.943 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fd4I2+QjZNga for <http-auth@ietfa.amsl.com>; Tue, 14 Jun 2011 15:46:34 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id E5A6611E811E for <http-auth@ietf.org>; Tue, 14 Jun 2011 15:46:33 -0700 (PDT)
Received: by gxk19 with SMTP id 19so5204123gxk.31 for <http-auth@ietf.org>; Tue, 14 Jun 2011 15:46:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.151.29.2 with SMTP id g2mr39986ybj.109.1308091593279; Tue, 14 Jun 2011 15:46:33 -0700 (PDT)
Sender: yutaka@g.oiwa.jp
X-Google-Sender-Delegation: yutaka@g.oiwa.jp
Received: by 10.151.103.4 with HTTP; Tue, 14 Jun 2011 15:46:33 -0700 (PDT)
In-Reply-To: <BANLkTimT=_qyi5vNoe0tqw8od6mWsjfuzA@mail.gmail.com>
References: <BANLkTi=9TZU=pguCGhLHY+=GbCNjR6w-dA@mail.gmail.com> <E1QWLjG-0007nd-EG@login01.fos.auckland.ac.nz> <BANLkTimT=_qyi5vNoe0tqw8od6mWsjfuzA@mail.gmail.com>
Date: Wed, 15 Jun 2011 07:46:33 +0900
X-Google-Sender-Auth: bIWuwIZskZKs0zlP1QWrp3ZCdaY
Message-ID: <BANLkTi=PTXc_VxFsyyUB75X3=fH1ymPYTQ@mail.gmail.com>
From: Yutaka OIWA <y.oiwa@aist.go.jp>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: public-identity@w3.org, http-auth@ietf.org
Subject: Re: [http-auth] [saag] [websec] re-call for IETF http-auth BoF
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2011 22:46:34 -0000
2011/6/15 Nico Williams <nico@cryptonector.com>: > On Mon, Jun 13, 2011 at 11:59 PM, Peter Gutmann > <pgut001@cs.auckland.ac.nz> wrote: >> Phillip Hallam-Baker <hallam@gmail.com> writes: >>>what would we want HTTP authentication to look like? >> >> I have a suggestion for what it shouldn't look like: Any method that hands >> over the password (or a password-equivalent like a password in hashed form) as >> current browsers do should be banned outright, and anyone who implements >> hand-over-the-password should killed and eaten to prevent them from passing on >> the genes. > > +1. +1, although the original statement is a bit too strong in wording for me :-) > - Is this to be done in TLS? HTTP? Or at the application-layer? > > IMO: TLS is too low a layer to do authentication in, and doing it in > HTTP would require retrofitting too many HTTP stacks. Doing it at the > application layer has a number of advantages. IMO, I agree that TLS is too low. However, although the application layer use-case exists, I believe that for general use cases HTTP-auth layer is more appropriate, because the trust relationship becomes much simpler. Backward-compatibility is important, and all intermediates *should* and *in most cases will* work well with new http authentication that completely complies with existing HTTP auth framework design. All they've needed is just forward auth-related headers to the origin server. We've done some experiment around my proposal, and it worked quite well with all existing stacks, including proxies, "SSL accelerators" and load balancers. (Yes, we've carefully designed the protocol so that it can work in this way.) Do you need some more detail on it? Required code modification is almost the same magnitude in both cases, because we need to change the client, and to add some server-side thing. we can keep all other intermediates as it is. Some client-side change is necessary in both cases to make mutual authentication trustful and unforgeable. In server-side, http-layer authentication can be implemented in either in the server or in the application.
- Re: [http-auth] [saag] re-call for IETF http-auth… Yutaka OIWA
- Re: [http-auth] [saag] re-call for IETF http-auth… Tim
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- [http-auth] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] re-call for IETF http-auth BoF Harry Halpin
- Re: [http-auth] [saag] re-call for IETF http-auth… Hannes Tschofenig
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Tim
- Re: [http-auth] [saag] re-call for IETF http-auth… Marsh Ray
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Stephen Farrell
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] [saag] re-call for IETF http-auth… Marsh Ray
- Re: [http-auth] [saag] re-call for IETF http-auth… Nico Williams
- Re: [http-auth] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] re-call for IETF http-auth BoF Julian Reschke
- [http-auth] Fwd: re-call for IETF http-auth BoF Yutaka OIWA
- Re: [http-auth] [websec] re-call for IETF http-au… Phillip Hallam-Baker
- Re: [http-auth] [websec] re-call for IETF http-au… Alexey Melnikov
- Re: [http-auth] [saag] [websec] re-call for IETF … Peter Gutmann
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [websec] [saag] re-call for IETF … Stephen Farrell
- Re: [http-auth] [websec] [saag] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … KIHARA, Boku
- [http-auth] Fwd: [saag] [websec] re-call for IETF… KIHARA, Boku
- Re: [http-auth] [websec] Fwd: [saag] re-call for … Thomas Roessler
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Yutaka OIWA
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Peter Gutmann
- Re: [http-auth] [saag] [websec] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Josh Howlett
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Marc Williams
- Re: [http-auth] [saag] [websec] Fwd: re-call for … SHIMIZU, Kazuki
- Re: [http-auth] [saag] [websec] Fwd: re-call for … GOGWIM, JOEL GODWIN
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Nico Williams
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Henry B. Hotz
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Yutaka OIWA
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Yutaka OIWA
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Yaron Sheffer
- Re: [http-auth] [websec] [saag] Fwd: re-call for … Marsh Ray
- Re: [http-auth] [websec] [saag] Fwd: re-call for … Stephen Farrell
- Re: [http-auth] [saag] [websec] Fwd: re-call for … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Phillip Hallam-Baker
- Re: [http-auth] [websec] [saag] re-call for IETF … Thomas Fossati
- Re: [http-auth] [websec] [saag] re-call for IETF … Nico Williams
- Re: [http-auth] [saag] [websec] re-call for IETF … Henry B. Hotz