Re: [http-auth] Last Call: <draft-ietf-httpauth-hoba-07.txt> (HTTP Origin-Bound Authentication (HOBA)) to Experimental RFC

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 24 December 2014 13:45 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53B611A8AB7; Wed, 24 Dec 2014 05:45:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.91
X-Spam-Level:
X-Spam-Status: No, score=-3.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WmNyWDi-I22U; Wed, 24 Dec 2014 05:45:21 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A4D81A8A8A; Wed, 24 Dec 2014 05:45:21 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 716D0BF09; Wed, 24 Dec 2014 13:45:19 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Omq-i7qHSbHE; Wed, 24 Dec 2014 13:45:17 +0000 (GMT)
Received: from [10.87.48.11] (unknown [86.42.31.173]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 9A1B7BF20; Wed, 24 Dec 2014 13:45:17 +0000 (GMT)
Message-ID: <549AC36D.9050205@cs.tcd.ie>
Date: Wed, 24 Dec 2014 13:45:17 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Julian Reschke <julian.reschke@greenbytes.de>, ietf@ietf.org
Subject: Re: [http-auth] Last Call: <draft-ietf-httpauth-hoba-07.txt> (HTTP Origin-Bound Authentication (HOBA)) to Experimental RFC
References: <20141210142247.26304.1220.idtracker@ietfa.amsl.com> <549033EE.2070302@greenbytes.de> <549AA041.1070401@cs.tcd.ie> <549AA61C.1010901@greenbytes.de>
In-Reply-To: <549AA61C.1010901@greenbytes.de>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/MFVt96aHuuAE-SDLdxXGHVZQGNc
Cc: http-auth@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 13:45:24 -0000

Hiya,

Thanks for the follow up...

On 24/12/14 11:40, Julian Reschke wrote:
> On 2014-12-24 12:15, Stephen Farrell wrote:
>> ...
>>> 2. The HOBA Authentication Scheme
>>>
>>>     HOBA-TBS = len ":" nonce
>>>                len ":" alg
>>>                len ":" origin
>>>                len ":" [ realm  ]
>>>                len ":" kid
>>>                len ":" challenge
>>>     len = 1*DIGIT
>>>     nonce = 1*base64urlchars
>>>     alg = 1*2DIGIT
>>>     origin = scheme "://" authority ":" port
>>>     realm = unreserved
>>>     kid = 1*base64urlchars
>>>     challenge = 1*base64urlchars
>>>     ; Characters for Base64URL encoding from Table 2 of RFC 4648
>>>     base64urlchars = %x30-39             ; Digits
>>>                      / %x41-5A           ; Uppercase letters
>>>                      / %x61-7A           ; Lowercase letters
>>>                      / "-" / "_" / "="   ; Special characters
>>>
>>>                     Figure 1: To-be-signed data for HOBA
>>>
>>> ...specify a proper ABNF production for "unreserved".
>>
>> What? I don't know what you mean there. I added a pointer to
>> 2.2 of RFC 7235 though, is that enough?
> 
> What's the ABNF for "unreserved"?

See p18 of RFC 3986. I (sadly) added yet another comment
around the already overloaded abnf there. (Sadly, because I
think we're now documenting this assuming all developers are
dim, which if sad if correct, and sad if incorrect;-)

> 
>>>     ...
>>>
>>>     The registration message for HOBA-http is sent as a POST message to
>>>     the URL ".well-known/hoba/register" with an HTML form (x-www-form-
>>>     encoded) described below; The registration message for HOBA-js
>>> can be
>>>
>>> Need citation for payload format.
>>
>> To RFC 1867? Added that (though it's been obsoleted). Happy to
>> replace with a better ref so long as that better ref is not a
>> work-in-progress:-)
> 
> <http://www.w3.org/TR/2014/REC-html5-20141028/forms.html#url-encoded-form-data>
> I assume.

Lovely.

> 
>> ...
>>>     when the registration has succeded to indicate the new state.  The
>>>     header to be used is "Hobareg" and the value when registration has
>>>     succeeded is to be "regok".  When registration is inwork (e.g. on an
>>>     HTTP response for an interstitial page) the server MAY add this
>>>     header with a value of "reginwork".  See Section 9.6 for the
>>> relevant
>>>     IANA registration of this header field.
>>>
>>> Could this use the Authentication-Info header field currently defined in
>>> DIGEST?
>>
>> Maybe but would prefer to not entwine with DIGEST in that way.
>> Seems like all we'd get is delay and no benefit.
> 
> ...that supports my p.o.v. that it should be in a separate spec :-)

Sure. And when it is and if HOBA is put on the standards-track
those can be better aligned if that's seen as useful.

> 
>> ...
>>> 6.3. Logging Out
>>>
>>>
>>>     The user can tell the server it wishes to log out.  With HOBA-http,
>>>     this is done by sending any HOBA-authenticated HTTP message to the
>>>     URL ".well-known/hoba/logout" on the site in question.  The UA
>>> SHOULD
>>>     also delete session cookies associated with the session so that the
>>>     user's state is no longer "logged in."
>>>
>>> Nope. Don't define this for GET (or any "safe" method). POST would work.
>>
>> Sorry I'm not seeing why that is GET specific? I agree POST should be
>> fine too, but think that is allowed by the above.
> 
> GET is defined as safe, 

Ah sorry, I mis-read your comment. You're right. Luckily, that's
what the code I've seen does anyway:-) But that's a good catch.

> and safe is defined as:
> 
> "Request methods are considered "safe" if their defined semantics are
> essentially read-only; i.e., the client does not request, and does not
> expect, any state change on the origin server as a result of applying a
> safe method to a target resource. Likewise, reasonable use of a safe
> method is not expected to cause any harm, loss of property, or unusual
> burden on the origin server." --
> <http://svn.tools.ietf.org/svn/wg/httpbis/specs/rfc7231.html#rfc.section.4.2.1.p.1>
> 
> 
> So you can't have GET perform a logout.

Changed that to say use POST.

> 
>> ...
>>> Appendix B. Example
>>>
>>>
>>>     The following values show an example of HOBA-http authentication to
>>>     the origin https://example.com:443 Carriage-returns have been added
>>>
>>> s/443/443./
>>
>> Sure, though not sure what RFC editor prefers there (for URLs at
>> the end of sentences) but they can fix if needed.
> 
> In doubt, put it the URI in delimiters...

Or... If in doubt, wait and see what RFC editor prefers:-)

The above changes applied as before at [1,2]. If there's no
more follow up, I'll publish that in a couple of days.

Cheers,
S.


[1] https://down.dsg.cs.tcd.ie/misc/draft-ietf-httpauth-hoba-08.txt
[2]
https://tools.ietf.org/rfcdiff?url1=draft-ietf-httpauth-hoba-07.txt&url2=https://down.dsg.cs.tcd.ie/misc/draft-ietf-httpauth-hoba-08.txt

> 
> Best regards, Julian