Re: Fwd: [http-auth] WGLC for draft-ietf-httpauth-hoba-04
Amos Jeffries <squid3@treenet.co.nz> Tue, 23 September 2014 06:39 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97D1D1A1A2B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 22 Sep 2014 23:39:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.688
X-Spam-Level:
X-Spam-Status: No, score=-7.688 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4_Po-vzQUiKa for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 22 Sep 2014 23:39:52 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 127D21A02FC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 22 Sep 2014 23:39:52 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XWJj0-0001c4-2L for ietf-http-wg-dist@listhub.w3.org; Tue, 23 Sep 2014 06:37:22 +0000
Resent-Date: Tue, 23 Sep 2014 06:37:22 +0000
Resent-Message-Id: <E1XWJj0-0001c4-2L@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <squid3@treenet.co.nz>) id 1XWJiR-0001XK-BN for ietf-http-wg@listhub.w3.org; Tue, 23 Sep 2014 06:36:47 +0000
Received: from 121-99-228-82.static.orcon.net.nz ([121.99.228.82] helo=treenet.co.nz) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <squid3@treenet.co.nz>) id 1XWJiQ-0003NG-7u for ietf-http-wg@w3.org; Tue, 23 Sep 2014 06:36:47 +0000
Received: from [192.168.2.97] (unknown [203.184.52.78]) by treenet.co.nz (Postfix) with ESMTP id 460E6E6FF6 for <ietf-http-wg@w3.org>; Tue, 23 Sep 2014 18:36:13 +1200 (NZST)
Message-ID: <542114CF.3040204@treenet.co.nz>
Date: Tue, 23 Sep 2014 18:35:59 +1200
From: Amos Jeffries <squid3@treenet.co.nz>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: ietf-http-wg@w3.org
References: <8A2A44BA-D6DC-4588-A456-0796208F4BBD@gmail.com> <FEB91DAA-7736-4468-A736-097295D06115@mnot.net>
In-Reply-To: <FEB91DAA-7736-4468-A736-097295D06115@mnot.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=121.99.228.82; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.450, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TVD_RCVD_IP=0.001
X-W3C-Scan-Sig: lisa.w3.org 1XWJiQ-0003NG-7u 3a6362c1a34fd4d6714df8a9b359d9d5
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Fwd: [http-auth] WGLC for draft-ietf-httpauth-hoba-04
Archived-At: <http://www.w3.org/mid/542114CF.3040204@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/27163
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 23/09/2014 9:50 a.m., Mark Nottingham wrote: > FYI; please have a look over this with an HTTP eye (and note that > the intended status is Experimental). > > <https://tools.ietf.org/html/draft-ietf-httpauth-hoba-04> > > Cheers, > > > Begin forwarded message: > >> From: Yoav Nir <ynir.ietf@gmail.com> Subject: [http-auth] WGLC >> for draft-ietf-httpauth-hoba-04 Date: 21 September 2014 10:48:58 >> pm PDT To: IETF HTTP Auth <http-auth@ietf.org> Archived-At: >> http://mailarchive.ietf.org/arch/msg/http-auth/3B6SxPqTEQ6KadDvXMDmqQhZEiQ >> >> >> Hi all >> >> Stephen, Paul, and Michael submitted version -04 about a month >> ago, and it has received no discussion so far. The authors are >> of the opinion that the document is ready for publication, and >> it’s time for the group to weigh in on this subject. >> >> This mail begins working group last call for this document. >> Please take the time to read the draft and send comments to the >> list about its security, applicability, usefulness, and any other >> aspect you wish to discuss. For guidance on what to look for, let >> me quote the following from our charter: The httpauth WG will be >> a short-lived working group that will document a small number of >> HTTP user authentication schemes that might offer security >> benefits, and that could, following experimentation, be widely >> adopted as standards-track schemes for HTTP user authentication. >> Each of these RFCs will be Informational or Experimental, and >> should include a description of when use of its mechanism is >> appropriate, via a use-case or other distinguishing >> characteristics. The WGLC is two weeks long, and ends on October >> 6th. Please send your reviews as replies to this message. >> >> Thanks, >> >> Yoav & Matt _______________________________________________ >> http-auth mailing list http-auth@ietf.org >> https://www.ietf.org/mailman/listinfo/http-auth > > -- Mark Nottingham http://www.mnot.net/ > Looks like the HTTP specific part is almost a duplicate of RFC 6750 OAuth 2.0 Bearer authentication. One could re-write this specification by doing: * reference Bearer specification, * add expires= and challenge= (code=?) parameters on www-auth header, * add a scope parameter value "hoba:origin", * prohibit token re-use/replay, * prohibit URI-query and payload delivery mechanisms * define section 5 and section 6 using RFC 6749 credential management parameters and mechanisms. Doing so would avoid both the need to register a new authentication scheme, and "well-known" URI space. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUIRTPAAoJELJo5wb/XPRjHtcH/RSHv9Zg9YUnZw3q2Q/lsobX xa8cvK1LrEjrtlEBGG+R3I8G5y4WDNqhowEsbHk1hMv2Kn+WN1ZCmzSM32KWBd+X HalPfFlWvIctKd/M2uVe9DBXJS6GLVAGR1YhY2siBMN3G2umOgf2TCgS70NnXwVq W2o7xhvYwBpX1NjrxOEQTYG7B7HDYUM1oVXGjXMTjt0GhAopIS8xXXkXrxqS82kG gdZQ1EFfyci3TJD17zvbpGBhTEjT/ZTD5B8DY/2trdLq3MZ7FvSDBtoUwi1Ornm8 EMFnr/8kldKG+77xqSNrfBlBnUqWfEI+epzFqKBD9wdaHVn0JE9RR+XL/7SngN0= =gNel -----END PGP SIGNATURE-----
- Fwd: [http-auth] WGLC for draft-ietf-httpauth-hob… Mark Nottingham
- Re: Fwd: [http-auth] WGLC for draft-ietf-httpauth… Amos Jeffries