[secdir] SECDIR review of draft-ietf-httpbis-p7-auth-24
Stephen Kent <kent@bbn.com> Tue, 29 October 2013 19:36 UTC
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8355211E828A for <secdir@ietfa.amsl.com>; Tue, 29 Oct 2013 12:36:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.513
X-Spam-Level:
X-Spam-Status: No, score=-106.513 tagged_above=-999 required=5 tests=[AWL=0.085, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C3PG4J-xCA-M for <secdir@ietfa.amsl.com>; Tue, 29 Oct 2013 12:36:02 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 8869311E8294 for <secdir@ietf.org>; Tue, 29 Oct 2013 12:35:28 -0700 (PDT)
Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:50972) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1VbF48-0007ZX-CI; Tue, 29 Oct 2013 15:35:00 -0400
Message-ID: <52700DE4.8020208@bbn.com>
Date: Tue, 29 Oct 2013 15:35:00 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.0.1
MIME-Version: 1.0
To: secdir <secdir@ietf.org>, fielding@gbiv.com, julian.reschke@greenbytes.de, mnot@pobox.com, Barry Leiba <barryleiba@computer.org>, Pete Resnick <presnick@qti.qualcomm.com>, "Mankin, Allison" <amankin@verisign.com>
Content-Type: multipart/alternative; boundary="------------070100040502030300040200"
Subject: [secdir] SECDIR review of draft-ietf-httpbis-p7-auth-24
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2013 19:36:07 -0000
I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.These comments were written primarily for the benefit of the security area directors.Document editors, WG chairs and ADs should treat these comments just like any other last call comments. The document obsoletes RFC 2616 and updates 2617. It says that it "defines HTTP/1.1 access control and authentication." I have not been tracking httpbis closely enough to know the specific motivations for generating this doc, so my review is unbiased by that context. I see that "ought" is used in two places on page 6, but not in uppercase as per RFC 6919. The authors should revisit the use of this term here. Also on page 6 it appears that the phrase "receipt of" was omitted in two places: Upon *<> *a request for a protected resource that omits credentials Likewise, upon *<>* a request that requires authentication by proxies Later on page 6 the text says: The HTTP protocol does not restrict applications to this simple challenge-response framework for access authentication.Additional mechanisms MAY be used, such as encryption at the transport level or via message encapsulation, and with additional header fields specifying authentication information.However, such additional mechanisms are not defined by this specification. Encryption is not, per se, an authentication mechanism. Please revise this text. In Section 2.2 the text says: The protection space determines the domain over which credentials can be automatically applied.If a prior request has been authorized, the user agent MAY reuse the same credentials for all other requests within that protection space for a period of time determined by the authentication scheme, parameters, and/or user preference. I'm not clear how user preferences fit into this process. It would seem that the server would decide whether a prior authorization is valid for later requests, not a user. The end of Section 2.2 includes the word "might" but not uppercase, as per RFC 6919. I again suggest that the authors reconsider using this term in this context. In Section 4.3, the text says: A proxy MAY relay the credentials from the client request to the next proxy if that is the mechanism by which the proxies cooperatively authenticate a given request. If, as stated here, a set of proxies cooperatively authenticate a request, then isn't this a MUST vs. a MAY? In Section 4.4 the text says: Note: The challenge grammar production uses the list syntax as well.Therefore, a sequence of comma, whitespace, and comma can be considered both as applying to the preceding challenge, or to be an empty entry in the list of challenges.In practice, this ambiguity does not affect the semantics of the header field value Should "both" be "either" in the above text? Does the potentially ambiguous construct ever take on both meanings simultaneously? Section 5.1.2 uses "ought" when discussing definitions for new authentication schemes. See comments above re use of this term.The same section also uses the phrase "need to" twice, where MUST seems appropriate. The Security Considerations section (6) is about one page in length. It references the SC sections in two in I-Ds: draft-ietf-httpbis-p1-messaging-24 and draft-ietf-httpbis-p2-semantics-24. Both of these I-Ds have non-trivial SC sections, but one cannot say that this document has an acceptable SC section until those documents are finalized. They are both normative references, so this doc will nor progress independently, but there will still be a need to revisit this SC when those SCs are finalized. The SC section here addresses only two issues: purging credentials in clients and user agents, and protection spaces. The discussion of the former topic does not discuss how credential purging applies to proxies. Also, it is not clear that a user control for credential purging will have the desired effect given a potentially complex GUI environment. The discussion of protection spaces provides useful suggestions on how to minimize credential exposure. I was a bit surprised that there was no advice deprecating the use of passwords as credentials, if only to make a statement on this topic.
- [secdir] SECDIR review of draft-ietf-httpbis-p7-a… Stephen Kent
- [secdir] RFC2119 vs "ought" etc, was: SECDIR revi… Julian Reschke
- Re: [secdir] SECDIR review of draft-ietf-httpbis-… Julian Reschke
- Re: [secdir] RFC2119 vs "ought" etc, was: SECDIR … Richard Barnes
- Re: [secdir] RFC2119 vs "ought" etc, was: SECDIR … Julian Reschke
- Re: [secdir] RFC2119 vs "ought" etc, was: SECDIR … Stephen Kent
- [secdir] WWW-Authenticate parsing quirks, was: SE… Julian Reschke
- Re: [secdir] SECDIR review of draft-ietf-httpbis-… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-httpbis-… Julian Reschke
- Re: [secdir] RFC2119 vs "ought" etc, was: SECDIR … Richard Barnes
- Re: [secdir] RFC2119 vs "ought" etc, was: SECDIR … Barry Leiba
- [secdir] Reuse of credentials per realm, was: SEC… Julian Reschke
- Re: [secdir] Reuse of credentials per realm, was:… Stephen Kent
- Re: [secdir] Reuse of credentials per realm, was:… Julian Reschke
- [secdir] proxies and forwarding of credentials, w… Julian Reschke
- [secdir] additional mechanisms on top of the auth… Julian Reschke
- Re: [secdir] Reuse of credentials per realm, was:… Stephen Kent
- Re: [secdir] additional mechanisms on top of the … Julian Reschke
- Re: [secdir] additional mechanisms on top of the … Nico Williams
- Re: [secdir] proxies and forwarding of credential… Bjoern Hoehrmann
- Re: [secdir] additional mechanisms on top of the … Bjoern Hoehrmann
- Re: [secdir] additional mechanisms on top of the … Bjoern Hoehrmann
- Re: [secdir] additional mechanisms on top of the … Stephen Kent
- Re: [secdir] additional mechanisms on top of the … Julian Reschke
- Re: [secdir] proxies and forwarding of credential… Stephen Kent
- Re: [secdir] proxies and forwarding of credential… Mark Nottingham
- Re: [secdir] additional mechanisms on top of the … Julian Reschke
- Re: [secdir] proxies and forwarding of credential… Stephen Kent