Re: [secdir] SECDIR review of draft-ietf-httpbis-p7-auth-24
Stephen Kent <kent@bbn.com> Wed, 30 October 2013 14:32 UTC
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EA2121F9ECE for <secdir@ietfa.amsl.com>; Wed, 30 Oct 2013 07:32:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.516
X-Spam-Level:
X-Spam-Status: No, score=-106.516 tagged_above=-999 required=5 tests=[AWL=0.082, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cQHK7Ag6vfg5 for <secdir@ietfa.amsl.com>; Wed, 30 Oct 2013 07:32:52 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id C61A011E830A for <secdir@ietf.org>; Wed, 30 Oct 2013 07:32:38 -0700 (PDT)
Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:51818) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1VbWoo-0004j6-3W; Wed, 30 Oct 2013 10:32:22 -0400
Message-ID: <52711876.1000808@bbn.com>
Date: Wed, 30 Oct 2013 10:32:22 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Julian Reschke <julian.reschke@gmx.de>, secdir <secdir@ietf.org>, fielding@gbiv.com, mnot@pobox.com, Barry Leiba <barryleiba@computer.org>, Pete Resnick <presnick@qti.qualcomm.com>, "Mankin, Allison" <amankin@verisign.com>, HTTP Working Group <ietf-http-wg@w3.org>
References: <52700DE4.8020208@bbn.com> <52710C5A.9040705@gmx.de>
In-Reply-To: <52710C5A.9040705@gmx.de>
Content-Type: multipart/alternative; boundary="------------080906030704090803020802"
Subject: Re: [secdir] SECDIR review of draft-ietf-httpbis-p7-auth-24
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Oct 2013 14:32:59 -0000
On 10/30/13 9:40 AM, Julian Reschke wrote:
> Stephen,
>
> On 2013-10-29 20:35, Stephen Kent wrote:
>> ...
>> The Security Considerations section (6) is about one page in length. It
>> references the SC sections in two in I-Ds:
>> draft-ietf-httpbis-p1-messaging-24 and
>> draft-ietf-httpbis-p2-semantics-24. Both of these I-Ds have non-trivial
>> SC sections, but one cannot say that this document has an acceptable SC
>> section until those documents are finalized. They are both normative
>> references, so this doc will nor progress independently, but there will
>> still be a need to revisit this SC when those SCs are finalized.
>
> These two other documents are in IETF LC as well.
OK. Then I suggest that whoever reviews them (hopefully not me) do so with
the SC section for this I-D in mind.
>
>> The SC section here addresses only two issues: purging credentials in
>> clients and user agents, and protection spaces. The discussion of the
>> former topic does not discuss how credential purging applies to proxies.
>
> As per httpbis-p1, a proxy is a client as well ('An HTTP "client" is a
> program that establishes a connection to a server for the purpose of
> sending one or more HTTP requests.' --
> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-24.html#rfc.section.2.1>).
> Does this address your comment?
yes, but it might be clearer to note this, parenthetically, in this doc.
For example, page 5 includes the following text:
The 407 (Proxy Authentication Required) response message is used by a
proxy to challenge the authorization of a client and MUST include a
Proxy-Authenticate header field containing at least one challenge
applicable to the proxy for the requested resource.
The use of the terms "proxy" and "client" here suggest that they are
distinct notions,
not that a proxy is also considered a client.
>
>> Also, it is not clear that a user control for credential purging will
>> have the desired effect given a potentially complex GUI environment. The
>
> Any proposal for enhancing the text?
User agents that cache credentials are encouraged to provide a
readily accessible mechanism for discarding cached credentials under
user control. *We recognize that this may not be a trivial task.**
** Designing a UI that will encourage users to purge credentials when**
** appropriate, but not cause them to prematurely do so may be difficult.*
>
>> discussion of protection spaces provides useful suggestions on how to
>> minimize credential exposure.
>>
>> I was a bit surprised that there was no advice deprecating the use of
>> passwords as credentials, if only to make a statement on this topic.
>
> This document just defines the HTTP authentication framework. It's not
> intended to give general guidelines about the security of new
> authentication schemes. But then, if you have some concrete proposal
> for additional text, we're all ears.
This doc does provide guidance for new auth schemes, in 5.1.2. However,
I agree that the guidance
there focuses on syntactic issues and compatibility, rather than
security. So, if you don't want
to address this issue, OK.
Steve
- [secdir] SECDIR review of draft-ietf-httpbis-p7-a… Stephen Kent
- [secdir] RFC2119 vs "ought" etc, was: SECDIR revi… Julian Reschke
- Re: [secdir] SECDIR review of draft-ietf-httpbis-… Julian Reschke
- Re: [secdir] RFC2119 vs "ought" etc, was: SECDIR … Richard Barnes
- Re: [secdir] RFC2119 vs "ought" etc, was: SECDIR … Julian Reschke
- Re: [secdir] RFC2119 vs "ought" etc, was: SECDIR … Stephen Kent
- [secdir] WWW-Authenticate parsing quirks, was: SE… Julian Reschke
- Re: [secdir] SECDIR review of draft-ietf-httpbis-… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-httpbis-… Julian Reschke
- Re: [secdir] RFC2119 vs "ought" etc, was: SECDIR … Richard Barnes
- Re: [secdir] RFC2119 vs "ought" etc, was: SECDIR … Barry Leiba
- [secdir] Reuse of credentials per realm, was: SEC… Julian Reschke
- Re: [secdir] Reuse of credentials per realm, was:… Stephen Kent
- Re: [secdir] Reuse of credentials per realm, was:… Julian Reschke
- [secdir] proxies and forwarding of credentials, w… Julian Reschke
- [secdir] additional mechanisms on top of the auth… Julian Reschke
- Re: [secdir] Reuse of credentials per realm, was:… Stephen Kent
- Re: [secdir] additional mechanisms on top of the … Julian Reschke
- Re: [secdir] additional mechanisms on top of the … Nico Williams
- Re: [secdir] proxies and forwarding of credential… Bjoern Hoehrmann
- Re: [secdir] additional mechanisms on top of the … Bjoern Hoehrmann
- Re: [secdir] additional mechanisms on top of the … Bjoern Hoehrmann
- Re: [secdir] additional mechanisms on top of the … Stephen Kent
- Re: [secdir] additional mechanisms on top of the … Julian Reschke
- Re: [secdir] proxies and forwarding of credential… Stephen Kent
- Re: [secdir] proxies and forwarding of credential… Mark Nottingham
- Re: [secdir] additional mechanisms on top of the … Julian Reschke
- Re: [secdir] proxies and forwarding of credential… Stephen Kent