[secdir] secdir review of draft-ietf-httpbis-auth-info-04

Catherine Meadows <catherine.meadows@nrl.navy.mil> Mon, 06 April 2015 20:35 UTC

Return-Path: <catherine.meadows@nrl.navy.mil>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 369A61A9133; Mon, 6 Apr 2015 13:35:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X4OQTr5jRxHn; Mon, 6 Apr 2015 13:35:06 -0700 (PDT)
Received: from ccs.nrl.navy.mil (mx0.ccs.nrl.navy.mil [IPv6:2001:480:20:118:118::211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B79B1A9130; Mon, 6 Apr 2015 13:35:06 -0700 (PDT)
Received: from ashurbanipal.fw5540.net (fw5540.nrl.navy.mil [132.250.196.100]) by ccs.nrl.navy.mil (8.14.4/8.14.4) with ESMTP id t36KZ3C7000665 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 6 Apr 2015 16:35:04 -0400
From: Catherine Meadows <catherine.meadows@nrl.navy.mil>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C14F8237-522E-4AC7-AC4D-57ECCA645D70"
Date: Mon, 06 Apr 2015 16:35:03 -0400
Message-Id: <276CBF09-D56C-4DFB-BCBC-D455BE33550F@nrl.navy.mil>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-httpbis-auth-info.all@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
X-CCS-MailScanner: No viruses found.
X-CCS-MailScanner-Info: See: http://www.nrl.navy.mil/ccs/support/email
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/0JHqIkReZTQHM6ULZLVqHQ8dQSQ>
Subject: [secdir] secdir review of draft-ietf-httpbis-auth-info-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2015 20:35:09 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.


This draft defines the “Authentication-Info” and “Proxy-Authentication-Info” response header fields for use in HTTP authentication.
These are used for schemes that need to return information once a client’s authentication credentials have been accepted.
The document defines the syntax, and gives instructions on how it should be treated (e.g. proxies forwarding a response are
not allowed to modify it).  The actual semantics of the fields depend upon the protocols that use them.

In the Security Considerations section, the authors note that adding information to HTTP responses sent across an unencrypted
channel can affect security and privacy.  Indeed the presence of these header fields alone indicate that HTTP authentication is in use.  Additional information
could be exposed depending on the authentication scheme; but this is something that will need to be addressed in the definition of the schemes.

I only have one small question about the Security Considerations section: wouldn’t there be other headers that indicate authentication is being used, such
as a header indicating that a message contains the client’s credentials?  If so, I don’t see how the introduction of an additional header field adds any further risk.


I believe that this ID is ready with nits.

Cathy

  


Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil