Re: [http-auth] Last Call: <draft-ietf-httpauth-hoba-07.txt> (HTTP Origin-Bound Authentication (HOBA)) to Experimental RFC
Julian Reschke <julian.reschke@gmx.de> Tue, 16 December 2014 13:31 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F2731A1B0C; Tue, 16 Dec 2014 05:31:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.9
X-Spam-Level:
X-Spam-Status: No, score=-3.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dcZs6rtx2Oeo; Tue, 16 Dec 2014 05:31:49 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C6EB1A1AEA; Tue, 16 Dec 2014 05:31:49 -0800 (PST)
Received: from [192.168.1.26] ([217.91.35.233]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0LqQzp-1XNfnP2yqP-00e65R; Tue, 16 Dec 2014 14:31:47 +0100
Message-ID: <5490343F.9070006@gmx.de>
Date: Tue, 16 Dec 2014 14:31:43 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: [http-auth] Last Call: <draft-ietf-httpauth-hoba-07.txt> (HTTP Origin-Bound Authentication (HOBA)) to Experimental RFC
References: <20141210142247.26304.1220.idtracker@ietfa.amsl.com>
In-Reply-To: <20141210142247.26304.1220.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:JLxdjGj3AoezCUWNonYnElHLfouSM2v/lM0cOg8pBgLAnIgo7UV oEBHVpozjYr3brP+dFbC6nuiSeuVzCWupvZLmAR3aCDZgl6LF9Np3b+jMGXSDc2CZMk/Fuk roGAvTYIoV4BebnpCLFyVUa47GLiNxeB46xn6rXOOR6OsqMN1Y61YB2fNmPyD+NNzeOoTMj PbPIt5c9/k28uKkjbFFMQ==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/kisL_FjL95_p8bsrh3mLAXSqjpo
Cc: http-auth@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Dec 2014 13:31:53 -0000
Hi there, see below my feedback on draft-ietf-httpauth-hoba-07. Best regards, Julian -- feedback here -- 1. Introduction HTTP Origin-Bound Authentication (HOBA) is an authentication design that can be used as an HTTP authentication scheme [RFC7235] and for Javascript-based authentication embedded in HTML. The main goal of HOBA is to offer an easy-to-implement authentication scheme that is not based on passwords, but that can easily replace HTTP or HTML forms-based password authentication. Deployment of HOBA can reduce or eliminate password entries in databases, with potentially significant security benefits. "HTTP or HTML forms-based password authentication" reads weird. Maybe "HTTP authentication [RFC7235] or authentication based on HTML forms and cookies [ref]"? HOBA is an HTTP authentication mechanism that complies with the framework for such schemes [RFC7235]. As a JavaScript design, HOBA demonstrates a way for clients and servers to interact using the same credentials that are used by the HTTP authentication scheme. Also confusing. Maybe state upfront that you define two different protocols (sharing algorithms), one as HTTP auth scheme, one using JS. When done, use terminology conistently ("HOBA", HOBA HTTP auth scheme", "HOBA JS whatever"). [I see you later defined HOBA-http and HOBA-js; maybe do this earlier] Current username/password authentication methods such as HTTP Basic, HTTP Digest, and web forms have been in use for many years but are Maybe add citations for these schemes? ... HOBA session management is identical to username/password session management, with a server-side session management tool or script inserting a session cookie into the output to the browser. HOBA still requires TLS to prevent session cookie hijacking. At this point you absolutely need to cite the Cookie spec. HOBA keys are "bare keys", so there is no need for the semantic overhead of PKIX certificates, particularly with respect to naming and trust anchors. The client public key ("CPK") structures in HOBA do not have any publicly-visible identifier for the user who possesses the corresponding private key, nor the web-origin with which the client is using the CPK. Expand "PKIX". HOBA also defines some services that are required for modern HTTP authentication: Avoid lowercase BCP14 terms. Also, don't understand "modern" here ... 1.1. Interfacing to Applications (Cookies) HOBA can be used as a drop-in replacement for password-based user authentication schemes used in common web applications. The simplest way is to (re-)direct the UA to a HOBA "Login" URL and for the response to a successful HTTP request containing a HOBA signature to set a session cookie [RFC6265]. Further interactions with the web application will then be secured via the session cookie, as is commonly done today. Does this apply to the HTTP authentication scheme, too? 1.2. Terminology ... This specification uses the Augmented Backus-Naur Form (ABNF) notation of [RFC5234] s/[RFC5234]/[RFC5234]./ Account: The term "account" is (loosely) used to refer to whatever data structure(s) the server maintains that are associated with an identity. That will contain of at least one CPK and a web-origin; it will also optionally include an HTTP "realm" as defined in the HTTP authentication specification. [RFC7235]. It might also involve many s/. [RFC7235]./[RFC7235]./ ... 2. The HOBA Authentication Scheme HOBA-TBS = len ":" nonce len ":" alg len ":" origin len ":" [ realm ] len ":" kid len ":" challenge len = 1*DIGIT nonce = 1*base64urlchars alg = 1*2DIGIT origin = scheme "://" authority ":" port realm = unreserved kid = 1*base64urlchars challenge = 1*base64urlchars ; Characters for Base64URL encoding from Table 2 of RFC 4648 base64urlchars = %x30-39 ; Digits / %x41-5A ; Uppercase letters / %x61-7A ; Lowercase letters / "-" / "_" / "=" ; Special characters Figure 1: To-be-signed data for HOBA ...specify a proper ABNF production for "unreserved". ...say where scheme, authority etc come from. ...maybe clarify that all of these characters are in US-ASCII (wrt to encoding into octets) ... o nonce: is a random value chosen by the UA and MUST be base64url encoded before being included in the HOBA-TBS value. (base64url encoding is defined in [RFC4648].) UAs MUST be able to use at least 32 bits of randomness in generating a nonce. UAs SHOULD be able to use 64 or more bits of randomness for nonces. "MUST be able to use"... doesn't sound testable. ... The HOBA "client result" is a dot-separated string that includes the signature and is sent in the HTTP Authorized header field value using "Authorized"? 3. Introduction to the HOBA-http Mechanism ... o A "max-age" attribute MUST be included that specifies the number of seconds from the time the HTTP response is emitted for which responses to this challenge can be accepted for example "max-age: 10" would indicatge ten seconds. If max-age is set to zero, then that means that only one signature will be accepted for this challenge. s/indicatge/indicate/ o A "realm" attribute MAY be included to indicate the scope of protection in the manner described in HTTP/1.1, Part 7 [RFC7235]. The "realm" attribute MUST NOT appear more than once. ... additional mechanisms to validate the signature. If the validation fails, or if the server chooses reject the signature for any reason whatsoever, the server aborts the transaction via a 401 Unauthorized HTTP response. "..fails the request with a 401..." (I'd prefer not to speak of transactions here) Note that a HOBA signature is good for however long a non-zero max- age attribute allows. This means that replay is possible within the s/attribute/parameter/ ... 4. Introduction to the HOBA-js Mechanism ... One element is required for HOBA-js: localStorage (see http:// www.w3.org/TR/webstorage/) from HTML5 can be used for persistent key Add proper reference. storage. For example, an implementation would store a dictionary account identifier, public key and private key tuples in the origin's localStorage for subsequent authentication requests. How this information is actually stored in localStorage is an implementation detail. This type of key storage relies on the security properties of the same-origin policy that localStorage enforces. See the security considerations for discussion about attacks on localStorage. Note that IndexedDB (See http://www.w3.org/TR/IndexedDB/) is an alternative to localStorage that can also be used here. And here. Because of JavaScript's same-origin policy, scripts from subdomains do not have access to the same localStorage that scripts in their parent domains do. For larger or more complex sites, this could be an issue that requires enrollment into subdomains, which could be a hassle for users. One way to get around this is to use session cookies because they can be used across subdomains. That is, with HOBA-js, the user might log in using a single well-known domain, and then the server uses session cookies to navigate around a site. Another element will be highly desirable for HOBA-js when it becomes available: WebCrypto (see http://www.w3.org/TR/WebCryptoAPI). In lieu of WebCrypto, JavaScript crypto libraries can be employed with the known deficiencies of their pseudo-random number generators and the general immaturity of those libraries. And here. 5.3. Authentication Phase ... If this stage of the process involves additional information for authentication, such as asking the user which account she wants to use (in the case where a UA is used for multiple accounts on a site), the server can prompt the user for account identifying information or the user could choose based on HTML offered by the server before the 401 is triggered. None of this is standardized: it all follows the s/401/401 response/ server's security policy and session flow. At the end of this, the server probably assigns or updates a session cookie for the client. 6. Other Parts of the HOBA Process ... There are many use cases for these URLs to redirect to other URLs: a site that does registration through a federated site, a site that only does registration under HTTPS, and so on. Like any HTTP client, HOBA-http clients have to be able to handle redirection of these URLs. However, as that would potentially cause security issues when s/URLs/requests/ 6.1. Registration Normally, a registration (also called "joining") is expected to happen after a UA receives a WWW-Authenticate for a web-origin and s/WWW-Authenticate/401 response/ (right?) ... The registration message for HOBA-http is sent as a POST message to the URL ".well-known/hoba/register" with an HTML form (x-www-form- encoded) described below; The registration message for HOBA-js can be Need citation for payload format. Why does this need to be an HTML form, btw? ... o did: a UTF8 string that specifies the device identifier. This can be used to help a user be confident that authentication has worked, e.g., following authentication some web content might say "You last logged in from device 'did' at time T." An example would be good to people note that many characters (plus all non-ASCII characters) need to be percent-escaped in this payload format. 6.1.1. Hobareg Definition ... For this reason the server MUST add a header to the response message s/header/header field/ when the registration has succeded to indicate the new state. The header to be used is "Hobareg" and the value when registration has succeeded is to be "regok". When registration is inwork (e.g. on an HTTP response for an interstitial page) the server MAY add this header with a value of "reginwork". See Section 9.6 for the relevant IANA registration of this header field. Could this use the Authentication-Info header field currently defined in DIGEST? ... o Only one single value is allowed in a Hobareg header field. Should more than one (a list) be encountered, that should be interpreted as being the same as "inwork." Misleading; just state that any ABNF-invalid value is to be interpreted as "inwork". ... o Since Hobareg is only meant for responses it ought not appear in a PUT request. Drop the part about PUT; not allowed in request means not allowed in requests... ... o Intermediaries should never insert, delete or modify a Hobareg header field. SHOULD? or even MUST? 6.2. Associating Additional Keys to an Exiting Account I'll assume you meant to say "Existing" 6.3. Logging Out The user can tell the server it wishes to log out. With HOBA-http, this is done by sending any HOBA-authenticated HTTP message to the URL ".well-known/hoba/logout" on the site in question. The UA SHOULD also delete session cookies associated with the session so that the user's state is no longer "logged in." Nope. Don't define this for GET (or any "safe" method). POST would work. 8.1. Privacy considerations HOBA does impact to some extent on privacy and could be considered to s/on// represent a super-cookie to the server, or to any entity on the path from UA to HTTP server that can see the HOBA signature. This is because we need to send a key identifier as part of the signature and that will not vary for a given key. For this reason, and others, it is strongly RECOMMENDED to only use HOBA over server-authenticated TLS and to migrate web sites using HOBA to only use "https" URLs. UAs SHOULD provide users a way to manage their CPKs. Ideally, there would be a way for a user to maintain their HOBA details for a site while at the same time deleting other site information such as cookies or non-HOBA HTML5 LocalStorage. However, as this is likely to be complex and appropriate user interfaces counter intutitive, we exepect that UAs that implement HOBA will likely treat HOBA s/exepect/expect/ information as just some more site data, that would disappear should the user choose to "forget" that site. 9.6. Hobareg HTTP Header s/Header/Header Field/ 12.1. Normative References 12.2. Informative References [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, October 2006. This is likely normative. [bonneau] Bonneau, , "The science of guessing: analyzing an anonymized corpus of 70 million passwords.", Security and Privacy (SP), 2012 IEEE Symposium on. IEEE, 2012. , 2012. This reference looks broken (interpunction-wise). Appendix A. Problems with Passwords ... Using memorizable passwords on unencrypted channels also poses risks to the users. If a web site uses either the HTTP Plain s/Plain/Basic/ ? (also add ref) Appendix B. Example The following values show an example of HOBA-http authentication to the origin https://example.com:443 Carriage-returns have been added s/443/443./
- Re: [http-auth] Last Call: <draft-ietf-httpauth-h… Julian Reschke
- Re: [http-auth] Last Call: <draft-ietf-httpauth-h… Julian Reschke
- Re: [http-auth] Last Call: <draft-ietf-httpauth-h… Stephen Farrell
- Re: [http-auth] Last Call: <draft-ietf-httpauth-h… Stephen Farrell
- Re: [http-auth] Last Call: <draft-ietf-httpauth-h… Stephen Farrell
- Re: [http-auth] Last Call: <draft-ietf-httpauth-h… Julian Reschke