Re: [http-auth] Doing it the TLS mutual way...
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 15 June 2011 23:01 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92D7421F847E for <http-auth@ietfa.amsl.com>; Wed, 15 Jun 2011 16:01:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.599
X-Spam-Level:
X-Spam-Status: No, score=-104.599 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hsu-sRAWvby4 for <http-auth@ietfa.amsl.com>; Wed, 15 Jun 2011 16:01:35 -0700 (PDT)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [134.226.32.56]) by ietfa.amsl.com (Postfix) with ESMTP id 90E9221F847D for <http-auth@ietf.org>; Wed, 15 Jun 2011 16:01:35 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 1FA7315356F; Thu, 16 Jun 2011 00:01:28 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1308178887; bh=V3TPLw//80xrrq i0pmAQQ21ZjzyljdqThQi2xiAJcJU=; b=Nn3yAS81G4lN3PC7CraQE69RJR2JNh cMPgn0ONCQqeQNB/RHKANwfEODv/0ADOOKsbDvQarxQjLisyVQaiyP7qneh69q5e BUbqXMzgyapxAbPm/YWoX1/S3BvdW4bgr/9CqYxNtDt//uoAHGy7/hCj+yu5QTih kf3mx18enSi0Cypz+bz7S4LfpkS9Ia+0S4+3vvkeCgrb1L/Ugfi14VNLNqukQSdD WAVJyjkurbRHpqdbjV6HZTbVfhf0SA2/4CCvx5GsqEeMHLhv7x+dSA214pe4BYal uaLT0Zsufu0qig8R/4bVhqlEdk2FOhqWaKmVZE37C6HhpCjjwBO88gOg==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id YphPy+z+YT2n; Thu, 16 Jun 2011 00:01:27 +0100 (IST)
Received: from [10.87.48.10] (unknown [86.45.58.227]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id A800A171C20; Thu, 16 Jun 2011 00:01:27 +0100 (IST)
Message-ID: <4DF939BC.9070401@cs.tcd.ie>
Date: Thu, 16 Jun 2011 00:01:16 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
References: <4DF7D71B.2070004@cs.tcd.ie> <BANLkTinpwwYYfrDaWBp+_atZGRDBRe7rtg@mail.gmail.com>
In-Reply-To: <BANLkTinpwwYYfrDaWBp+_atZGRDBRe7rtg@mail.gmail.com>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] Doing it the TLS mutual way...
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 23:01:40 -0000
Hi Nico. Skipping over stuff where I'd agree or maybe quibble a bit to the meaty part: On 15/06/11 20:53, Nico Williams wrote: > And yet I don't like this approach, nor any of the possible variants. > > I much prefer doing authentication at a higher layer, with channel > binding to TLS -- this would require zero changes to TLS (particularly > when using tls-server-end-point as the channel binding type) and HTTP > (at most one might need a new HTTP error code). Application-layer > authentication could even be implemented, on the server-side, as CGI > programs to get massive adoption to be trivial (no need to upgrade > existing code, just install new code). Whereas schemes based on TLS > user certs seem to require at least somewhat invasive changes to TLS > and HTTP. I don't think a TLS change is needed for this approach, other than maybe in terms of the interface between a server's TLS accelerator and the backend, however, there is a fair point that higher layer authentication is different and can be as good. I suspect that the TLS mutual approach might be easier to do, but that's just me arm-waving at this point really. I think that's ok though - I reckon we're at the point of trying to identify options that can meet our security requirements. After that we'll have to see which, if any, of those might get real deployment and then figure out the relevant details. At least that where I think we're at. (And before anyone says it: I do not think we should go off and write up those requirements in an RFC. This is not our first attempt at this and the minutiae of the requirements matter far less than adoption of something that's really better than current password schemes.) > Still, I'd live with this approach IF we also did something to improve > authentication of the service to the user. So far no one who proposes > TLS user cert approaches proposes any way to strengthen server > authentication, and that has me quite concerned: this may be the only > chance we get for many years to improve authentication of the servers > to the users -- let's not blow it! Better server auth is also a fair point - however that might be somewhat less pressing were client credentials not immediately stealable from backend databases. Could be that DANE might provide an approach to help in that respect were we to take this TLS mutual approach. I totally agree that *if* this activity results in something new actually being deployed then we better do a good job because we won't get another chance if we do a bad job. However, I also think that we had better not scare off the punters by demanding more security perfection than is possible. Put another way - actual deployment here trumps most things so long as whatever gets deployed is a real improvement. S.
- [http-auth] Doing it the TLS mutual way... Stephen Farrell
- Re: [http-auth] Doing it the TLS mutual way... Nico Williams
- Re: [http-auth] Doing it the TLS mutual way... Stephen Farrell
- Re: [http-auth] Doing it the TLS mutual way... Nico Williams