Re: [websec] [saag] [http-auth] re-call for IETF http-auth BoF
Thomas Fossati <tho@koanlogic.com> Sat, 25 June 2011 08:59 UTC
Return-Path: <tho@koanlogic.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3981621F853F; Sat, 25 Jun 2011 01:59:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.505
X-Spam-Level: *
X-Spam-Status: No, score=1.505 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, IP_NOT_FRIENDLY=0.334, RDNS_NONE=0.1, SARE_RECV_IP_069060096=1.666]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LEo9iwBsfL0x; Sat, 25 Jun 2011 01:59:55 -0700 (PDT)
Received: from gonzo.koanlogic.com (unknown [69.60.118.166]) by ietfa.amsl.com (Postfix) with ESMTP id 2D45921F853D; Sat, 25 Jun 2011 01:59:55 -0700 (PDT)
Received: from host247-5-dynamic.32-79-r.retail.telecomitalia.it ([79.32.5.247]:56588 helo=[192.168.1.5]) by sp2844.serverpronto.com with esmtpsa (TLS-1.0:RSA_AES_128_CBC_SHA:16) (Exim 4.50) id 1QaOiL-0005v9-55; Sat, 25 Jun 2011 04:59:47 -0400
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Thomas Fossati <tho@koanlogic.com>
In-Reply-To: <BANLkTimT=_qyi5vNoe0tqw8od6mWsjfuzA@mail.gmail.com>
Date: Sat, 25 Jun 2011 10:59:07 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <63B45E28-8167-4820-B7BC-9D02E61D88FE@koanlogic.com>
References: <BANLkTi=9TZU=pguCGhLHY+=GbCNjR6w-dA@mail.gmail.com> <E1QWLjG-0007nd-EG@login01.fos.auckland.ac.nz> <BANLkTimT=_qyi5vNoe0tqw8od6mWsjfuzA@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
X-Mailer: Apple Mail (2.1084)
X-SA-Exim-Connect-IP: 79.32.5.247
X-SA-Exim-Mail-From: tho@koanlogic.com
X-Spam-DCC: :
X-Spam-Pyzor: Reported 0 times.
X-SA-Exim-Version: 4.2 (built Thu, 03 Mar 2005 10:44:12 +0100)
X-SA-Exim-Scanned: Yes (on sp2844.serverpronto.com)
Cc: public-identity@w3.org, http-auth@ietf.org, websec <websec@ietf.org>, saag@ietf.org, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [websec] [saag] [http-auth] re-call for IETF http-auth BoF
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jun 2011 08:59:56 -0000
On Jun 14, 2011, at 6:17 PM, Nico Williams wrote: > Some aspects of the designs are important. > > For example: > > - Is this to be done in TLS? HTTP? Or at the application-layer? > > IMO: TLS is too low a layer to do authentication in, and doing it in > HTTP would require retrofitting too many HTTP stacks. Doing it at the > application layer has a number of advantages. I've tried to figure out how to get something similar to your REST GSS -- which I like -- at the HTTP level and, yes, you need to hammer HTTP clients a bit to teach them how to do the challange-response on a specially crafted cookie, but then it seems you can switch from stateless to stateful HTTP (and viceversa) quite robustly. Still there's the related bootstrap problem to solve, i.e. the authentication phase and implied key agreement. In this respect I've only been able to sketch a TLS-based mechanism, with a) explicit HTTP redirection, or b) a-priori knowledge of the authentication URI via .well-known or DNS-SD, which then uses RFC 5705 to feed both parties with the needed crypto material. Anyway, I still have hazy thoughts about the whole matter, basically from an architectural standpoint, i.e. about where (which layer) the secure state management component must be placed. My unanswered (taboo?) question being: would the core HTTP protocol benefit from introducing secure state handling capabilities ? Or should HTTP remain stateless ?
- [websec] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [websec] re-call for IETF http-auth BoF Harry Halpin
- Re: [websec] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [websec] [http-auth] re-call for IETF http-au… Julian Reschke
- Re: [websec] [http-auth] re-call for IETF http-au… Phillip Hallam-Baker
- Re: [websec] [http-auth] re-call for IETF http-au… Alexey Melnikov
- Re: [websec] [saag] [http-auth] re-call for IETF … Peter Gutmann
- Re: [websec] [saag] [http-auth] re-call for IETF … Nico Williams
- Re: [websec] [saag] [http-auth] re-call for IETF … Stephen Farrell
- Re: [websec] [saag] [http-auth] re-call for IETF … KIHARA, Boku
- [websec] Fwd: [saag] [http-auth] re-call for IETF… KIHARA, Boku
- Re: [websec] Fwd: [saag] [http-auth] re-call for … Thomas Roessler
- Re: [websec] [saag] [http-auth] re-call for IETF … Yutaka OIWA
- Re: [websec] [saag] Fwd: [http-auth] re-call for … SHIMIZU, Kazuki
- Re: [websec] [saag] Fwd: [http-auth] re-call for … Yutaka OIWA
- Re: [websec] [http-auth] [saag] Fwd: re-call for … Yutaka OIWA
- Re: [websec] [saag] Fwd: [http-auth] re-call for … Marsh Ray
- Re: [websec] [saag] [http-auth] re-call for IETF … Thomas Fossati
- Re: [websec] [saag] [http-auth] re-call for IETF … Phillip Hallam-Baker