Re: [websec] [saag] [http-auth] re-call for IETF http-auth BoF
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 14 June 2011 16:36 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99A0011E807F; Tue, 14 Jun 2011 09:36:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.001
X-Spam-Level:
X-Spam-Status: No, score=-103.001 tagged_above=-999 required=5 tests=[AWL=0.402, BAYES_00=-2.599, J_CHICKENPOX_14=0.6, J_CHICKENPOX_17=0.6, J_CHICKENPOX_44=0.6, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9r4JtXOoA-DW; Tue, 14 Jun 2011 09:36:45 -0700 (PDT)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [134.226.32.56]) by ietfa.amsl.com (Postfix) with ESMTP id 09E7E9E802E; Tue, 14 Jun 2011 09:36:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 6CE0B171C03; Tue, 14 Jun 2011 17:36:23 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h=date :subject:from:x-mailer:message-id:content-type :content-transfer-encoding:mime-version:in-reply-to:references :received:received:x-virus-scanned; s=cs; t=1308069382; bh=kqIm4 jHDs81NEcSSm4exH0reLW/jZ4nKCmvRSO3SNic=; b=Pw88SLOl1pzIHAWmCqRdJ AwQpCYzBatNawyjEo3KQaeO0cnEU2awaeyjQ0Mo6QZtM6z3aku0jx+auVkdnh6vh hVsNwNrMu5hogIRQTEfqk9br182gkrraCrFSqcTMFrH0sdSOme8lPewQvoARxVNV 8ifVOn6UcZ9WXwnjdwOwm+XTGLoBUwXAs/LWRqhVtpqK0oXPqY8vqW+WtOyztZqh BBOeOesHEQ18oVtiOynZGHQLQiphYHmO0t6tqpoQErYwuPItdbYm2X+pWaFeSwOP 0Vbg4xNUJ8wzIkYyJ1ly1hXPBCbh7SsT4BE30qC61JIMcUkIAjt2pJG2U5W6VPu0 g==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id Rxrh5psMVZHL; Tue, 14 Jun 2011 17:36:22 +0100 (IST)
Received: from [10.52.30.188] (mobileinternet4.o2.ie [62.40.32.14]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 39620171C02; Tue, 14 Jun 2011 17:36:20 +0100 (IST)
References: <BANLkTi=9TZU=pguCGhLHY+=GbCNjR6w-dA@mail.gmail.com> <E1QWLjG-0007nd-EG@login01.fos.auckland.ac.nz> <BANLkTimT=_qyi5vNoe0tqw8od6mWsjfuzA@mail.gmail.com>
In-Reply-To: <BANLkTimT=_qyi5vNoe0tqw8od6mWsjfuzA@mail.gmail.com>
Mime-Version: 1.0 (iPhone Mail 8H7)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
Message-Id: <BE534F2C-926F-4B57-A1A0-93A443AE877E@cs.tcd.ie>
X-Mailer: iPhone Mail (8H7)
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Tue, 14 Jun 2011 17:36:14 +0100
To: Nico Williams <nico@cryptonector.com>
Cc: "public-identity@w3.org" <public-identity@w3.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "websec@ietf.org" <websec@ietf.org>, "saag@ietf.org" <saag@ietf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [websec] [saag] [http-auth] re-call for IETF http-auth BoF
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2011 16:36:52 -0000
This is about http auth (and I'm glad to see the discussion) but can we keep it to just that list? Ta. S On 14 Jun 2011, at 17:17, Nico Williams <nico@cryptonector.com> wrote: > On Mon, Jun 13, 2011 at 11:59 PM, Peter Gutmann > <pgut001@cs.auckland.ac.nz> wrote: >> Phillip Hallam-Baker <hallam@gmail.com> writes: >>> what would we want HTTP authentication to look like? >> >> I have a suggestion for what it shouldn't look like: Any method that hands >> over the password (or a password-equivalent like a password in hashed form) as >> current browsers do should be banned outright, and anyone who implements >> hand-over-the-password should killed and eaten to prevent them from passing on >> the genes. > > +1. > >> The only permitted auth.form should be a dynamic, cryptographic mutual auth. >> that authenticates both the client and the server. There are endless designs >> for this sort of thing around so the precise form isn't too important, as long >> as it's not hand-over-the-password. > > +1, particularly with regard to mutual authentication. It's important > to understand that we need mutual authentication using something other > than the TLS server cert PKI for authenticating the server. > > Some aspects of the designs are important. > > For example: > > - Is this to be done in TLS? HTTP? Or at the application-layer? > > IMO: TLS is too low a layer to do authentication in, and doing it in > HTTP would require retrofitting too many HTTP stacks. Doing it at the > application layer has a number of advantages. > > - Shall we have just one authentication mechanism? > > IMO: We can't pick a universal authentication mechanism that will work > for everyone, but if it helps get momentum I'd be happy to specify > something where we start with one mechanism but nothing prevents us > from adding others later. > > Here's an example showing how to use SCRAM (a successor to DIGEST-MD5, > thus not terribly interesting, but pretend for a second that this is a > ZKPP) at the application layer and in a RESTful way: > > C->S: HTTP/1.1 POST /rest-gss-login > Host: A.example > Content-Type: application/rest-gss-login > Content-Length: nnn > > SCRAM-SHA-1,,MIC > n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL > > S->C: HTTP/1.1 201 > Location http://A.example/rest-gss-session-9d0af5f680d4ff46 > Content-Type: application/rest-gss-login > Content-Length: nnn > > C > r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j, > s=QSXCR+Q6sek8bf92,i=4096 > > C->S: HTTP/1.1 POST /rest-gss-session-9d0af5f680d4ff46 > Host: A.example > Content-Type: application/rest-gss-login > Content-Length: nnn > > c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j, > p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts= > > S->C: HTTP/1.1 200 > Content-Type: application/rest-gss-login > Content-Length: nnn > > A > v=rmF9pqV8S7suAoZWja4dJRkFsKQ= > > > Does that work for you? > > Nico > -- > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec
- [websec] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [websec] re-call for IETF http-auth BoF Harry Halpin
- Re: [websec] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [websec] [http-auth] re-call for IETF http-au… Julian Reschke
- Re: [websec] [http-auth] re-call for IETF http-au… Phillip Hallam-Baker
- Re: [websec] [http-auth] re-call for IETF http-au… Alexey Melnikov
- Re: [websec] [saag] [http-auth] re-call for IETF … Peter Gutmann
- Re: [websec] [saag] [http-auth] re-call for IETF … Nico Williams
- Re: [websec] [saag] [http-auth] re-call for IETF … Stephen Farrell
- Re: [websec] [saag] [http-auth] re-call for IETF … KIHARA, Boku
- [websec] Fwd: [saag] [http-auth] re-call for IETF… KIHARA, Boku
- Re: [websec] Fwd: [saag] [http-auth] re-call for … Thomas Roessler
- Re: [websec] [saag] [http-auth] re-call for IETF … Yutaka OIWA
- Re: [websec] [saag] Fwd: [http-auth] re-call for … SHIMIZU, Kazuki
- Re: [websec] [saag] Fwd: [http-auth] re-call for … Yutaka OIWA
- Re: [websec] [http-auth] [saag] Fwd: re-call for … Yutaka OIWA
- Re: [websec] [saag] Fwd: [http-auth] re-call for … Marsh Ray
- Re: [websec] [saag] [http-auth] re-call for IETF … Thomas Fossati
- Re: [websec] [saag] [http-auth] re-call for IETF … Phillip Hallam-Baker