Re: [http-auth] Last Call: <draft-ietf-httpauth-hoba-07.txt> (HTTP Origin-Bound Authentication (HOBA)) to Experimental RFC
Julian Reschke <julian.reschke@greenbytes.de> Wed, 24 December 2014 11:40 UTC
Return-Path: <julian.reschke@greenbytes.de>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AE711A9073; Wed, 24 Dec 2014 03:40:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.561
X-Spam-Level:
X-Spam-Status: No, score=-3.561 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, HELO_EQ_DE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KP-oXMSQfgVw; Wed, 24 Dec 2014 03:40:17 -0800 (PST)
Received: from mail.greenbytes.de (mail.greenbytes.de [217.91.35.233]) by ietfa.amsl.com (Postfix) with ESMTP id 15E741A9072; Wed, 24 Dec 2014 03:40:17 -0800 (PST)
Received: from [192.168.2.160] (unknown [84.187.46.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mail.greenbytes.de (Postfix) with ESMTPSA id C9EA715A0424; Wed, 24 Dec 2014 12:40:15 +0100 (CET)
Message-ID: <549AA61C.1010901@greenbytes.de>
Date: Wed, 24 Dec 2014 12:40:12 +0100
From: Julian Reschke <julian.reschke@greenbytes.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, ietf@ietf.org
Subject: Re: [http-auth] Last Call: <draft-ietf-httpauth-hoba-07.txt> (HTTP Origin-Bound Authentication (HOBA)) to Experimental RFC
References: <20141210142247.26304.1220.idtracker@ietfa.amsl.com> <549033EE.2070302@greenbytes.de> <549AA041.1070401@cs.tcd.ie>
In-Reply-To: <549AA041.1070401@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/DTCSKdP3PbmAJnF7M7qhSuWqz9g
X-Mailman-Approved-At: Wed, 31 Dec 2014 21:32:40 -0800
Cc: http-auth@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 11:40:20 -0000
On 2014-12-24 12:15, Stephen Farrell wrote: > ... >> 2. The HOBA Authentication Scheme >> >> HOBA-TBS = len ":" nonce >> len ":" alg >> len ":" origin >> len ":" [ realm ] >> len ":" kid >> len ":" challenge >> len = 1*DIGIT >> nonce = 1*base64urlchars >> alg = 1*2DIGIT >> origin = scheme "://" authority ":" port >> realm = unreserved >> kid = 1*base64urlchars >> challenge = 1*base64urlchars >> ; Characters for Base64URL encoding from Table 2 of RFC 4648 >> base64urlchars = %x30-39 ; Digits >> / %x41-5A ; Uppercase letters >> / %x61-7A ; Lowercase letters >> / "-" / "_" / "=" ; Special characters >> >> Figure 1: To-be-signed data for HOBA >> >> ...specify a proper ABNF production for "unreserved". > > What? I don't know what you mean there. I added a pointer to > 2.2 of RFC 7235 though, is that enough? What's the ABNF for "unreserved"? >> ... >> >> The registration message for HOBA-http is sent as a POST message to >> the URL ".well-known/hoba/register" with an HTML form (x-www-form- >> encoded) described below; The registration message for HOBA-js can be >> >> Need citation for payload format. > > To RFC 1867? Added that (though it's been obsoleted). Happy to > replace with a better ref so long as that better ref is not a > work-in-progress:-) <http://www.w3.org/TR/2014/REC-html5-20141028/forms.html#url-encoded-form-data> I assume. > ... >> when the registration has succeded to indicate the new state. The >> header to be used is "Hobareg" and the value when registration has >> succeeded is to be "regok". When registration is inwork (e.g. on an >> HTTP response for an interstitial page) the server MAY add this >> header with a value of "reginwork". See Section 9.6 for the relevant >> IANA registration of this header field. >> >> Could this use the Authentication-Info header field currently defined in >> DIGEST? > > Maybe but would prefer to not entwine with DIGEST in that way. > Seems like all we'd get is delay and no benefit. ...that supports my p.o.v. that it should be in a separate spec :-) > ... >> 6.3. Logging Out >> >> >> The user can tell the server it wishes to log out. With HOBA-http, >> this is done by sending any HOBA-authenticated HTTP message to the >> URL ".well-known/hoba/logout" on the site in question. The UA SHOULD >> also delete session cookies associated with the session so that the >> user's state is no longer "logged in." >> >> Nope. Don't define this for GET (or any "safe" method). POST would work. > > Sorry I'm not seeing why that is GET specific? I agree POST should be > fine too, but think that is allowed by the above. GET is defined as safe, and safe is defined as: "Request methods are considered "safe" if their defined semantics are essentially read-only; i.e., the client does not request, and does not expect, any state change on the origin server as a result of applying a safe method to a target resource. Likewise, reasonable use of a safe method is not expected to cause any harm, loss of property, or unusual burden on the origin server." -- <http://svn.tools.ietf.org/svn/wg/httpbis/specs/rfc7231.html#rfc.section.4.2.1.p.1> So you can't have GET perform a logout. > ... >> Appendix B. Example >> >> >> The following values show an example of HOBA-http authentication to >> the origin https://example.com:443 Carriage-returns have been added >> >> s/443/443./ > > Sure, though not sure what RFC editor prefers there (for URLs at > the end of sentences) but they can fix if needed. In doubt, put it the URI in delimiters... Best regards, Julian
- Re: [http-auth] Last Call: <draft-ietf-httpauth-h… Julian Reschke
- Re: [http-auth] Last Call: <draft-ietf-httpauth-h… Julian Reschke
- Re: [http-auth] Last Call: <draft-ietf-httpauth-h… Stephen Farrell
- Re: [http-auth] Last Call: <draft-ietf-httpauth-h… Stephen Farrell
- Re: [http-auth] Last Call: <draft-ietf-httpauth-h… Stephen Farrell
- Re: [http-auth] Last Call: <draft-ietf-httpauth-h… Julian Reschke