Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg
Sam Hartman <hartmans-ietf@mit.edu> Wed, 18 February 2015 21:45 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 087D01A1AFB for <oauth@ietfa.amsl.com>; Wed, 18 Feb 2015 13:45:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0-3ryAa_T7ZH for <oauth@ietfa.amsl.com>; Wed, 18 Feb 2015 13:45:48 -0800 (PST)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 625151A1AE2 for <oauth@ietf.org>; Wed, 18 Feb 2015 13:45:48 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 8042D20614; Wed, 18 Feb 2015 16:44:58 -0500 (EST)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ozmkaq92Kgky; Wed, 18 Feb 2015 16:44:58 -0500 (EST)
Received: from carter-zimmerman.suchdamage.org (gain1-180.nortex.net [63.160.158.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Wed, 18 Feb 2015 16:44:57 -0500 (EST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id A3F698081B; Wed, 18 Feb 2015 16:45:06 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
References: <CAHbuEH587HcqaqTMrmLPXQimRAaS2j1Uv+BC-0UHeyBwC8+3Uw@mail.gmail.com>
Date: Wed, 18 Feb 2015 16:45:06 -0500
In-Reply-To: <CAHbuEH587HcqaqTMrmLPXQimRAaS2j1Uv+BC-0UHeyBwC8+3Uw@mail.gmail.com> (Kathleen Moriarty's message of "Wed, 11 Feb 2015 18:06:51 -0500")
Message-ID: <tsl61ayopwd.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/dJ1ofAHEr0_h-YW3wLkooTG6cSU>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 21:45:50 -0000
>>>>> "Kathleen" == Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> writes: Kathleen> registry, but setting HTTP Basic as the default seems like Kathleen> a really bad choice. HOBA is on it's way to becoming an Kathleen> RFC from the HTTPAuth working group. HTTPAuth also has an Kathleen> updated version of Basic that is in IETF last call, but I Kathleen> know you are pointing to the OAuth 2.0 document, so it Kathleen> would be that document that gets updated and not this Kathleen> draft. The new version of HTTP Basic fixes some Kathleen> internationalization problems and spells out the security Kathleen> issues much more clearly, so it probably doesn't matter Kathleen> too much to update the reference, but maybe makes it more Kathleen> clear that basic is not a secure form of authentication. Kathleen> Can you provide some justification as to why this is okay Kathleen> to set basic as the default and add that to the draft? Kathleen> Section 2.3.1 of OAuth 2.0 just says this MUST be Kathleen> implemented, but that any HTTP schemes can be used. Why Kathleen> not register another method and use that instead as the Kathleen> default? You could use digest and there is library Kathleen> support. It's not a great answer, but slightly better Kathleen> than passwords with basic. You could register HOBA and Kathleen> use that instead, the only downside is limited library Kathleen> support at the moment. I'm disappointed to be reading the above, particularly the last sentence, today. I'd hope that we'd have a better wide-spread understanding of the issues in deploying credentials by this point. Yes, you absolutely can choose whatever you like as the authentication scheme for a single-use account. If my account will only be used with a particularly dynamically registration then I probably can get away with choosing whatever I want as a default authentication and statements like "the only down-side will be limited library availability," will be true. However, a lot of deployments re-use accounts. That is, the deploymentwill allow some form of single sign-on. The same account may be used for an oauth dynamic registration as well as a bunch of other things. Even more of an issue, the backend database of credentials may already exist and may not be defined by this particular application. Digest is absolutely impossible to use if I've got a database of NTLM hashes (read Active Directory) that are my credentials. (In the particular case of AD and digest, you probably have a solution if you are using Microsoft's implementation.) However, if I've got some relational (or nosql) database storing hashes that I've been accumulating as I sign up users for the last few years, I can only use authentication schemes compatible with those hashes. The huge deployment advantage of basic is that if you present me the password, I can match against whatever I have on the backend. I can try various normalizations, try code-page conversions, rehash, whatever. If your client implements scram, and I have NTLM, we're never going to be able to talk. Me implementing scram doesn't help if that's not how I've got credentials stored. Put another way, end protocols like this are not the right place to fight passwords. You transition credential technologies at the deployment level, not at the protocol level. For interoperability in something like this we're likely going to do no better than basic. Anything else from httpauth will fall squarely into the category of MUST BUT WE KNOW YOU WON't for some significant deployments. What I've said above doesn't apply particularly to protocols where the credentials will not be reused. I'd be happy to talk some time about strategies for giving deployments the tools they need to move their credential interface away from passwords, but it does need to be thought of as a deployment issue crossing all the applications and protocols that a set of credentials use. This is the wrong place to fight that battle. --Sam
- [OAUTH-WG] AD review of Draft-ietf-dyn-reg Kathleen Moriarty
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Justin Richer
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Phil Hunt
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Mike Jones
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Justin Richer
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Phil Hunt
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Kathleen Moriarty
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Kathleen Moriarty
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg John Bradley
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Kathleen Moriarty
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Justin Richer
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Hannes Tschofenig
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Hannes Tschofenig
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Sam Hartman
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Kathleen Moriarty
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Kathleen Moriarty
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Mike Jones
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Kathleen Moriarty
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Bill Burke
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Mike Jones
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Kathleen Moriarty
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg John Bradley
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg John Bradley
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Kathleen Moriarty
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Justin Richer
- Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg Kathleen Moriarty