IETF Logo Mail Archive

Re: [websec] [http-auth] re-call for IETF http-auth BoF

Phillip Hallam-Baker <hallam@gmail.com> Sat, 11 June 2011 21:53 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8F341F0C40; Sat, 11 Jun 2011 14:53:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1pW7mU7V+kSW; Sat, 11 Jun 2011 14:53:41 -0700 (PDT)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by ietfa.amsl.com (Postfix) with ESMTP id B6EB01F0C35; Sat, 11 Jun 2011 14:53:40 -0700 (PDT)
Received: by yie30 with SMTP id 30so413350yie.31 for <multiple recipients>; Sat, 11 Jun 2011 14:53:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=sTcMNjiVKkU/azl26PIFGJu8Ro8VurX61Rg3uGhteJ8=; b=glzyuoJhrjGEsOucx0emvU7qiTPG9yw0hyuAi1HCHOWU7T4QJFMM8+o/PEWLZEw5wD Ax1PlXoqCIJCdyUc8IZfk4vpSTR8e0qOR6/aMVvjs4tlQ9XvUNwIN21ExGq1GVY75FVz mDABJgPXvTQ5HC6777gAUV5w0fcvM83ykB1pA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=PWov+qw1DeoBnaQNwyBInUDhhSrt1n+t63p/HTNWd1oQlhhAN9rJ6Agz9gD8OHuUx4 Fq+VCMNAzXkwpyWuLVntsnvP4FDTamlM3QHtFL12HaF9/PRa1y51Qdw8u8329f5WCT10 Jwlu0ulwOj3qHxAavi1pq4kpGDqI7/ysl9V7o=
MIME-Version: 1.0
Received: by 10.101.52.7 with SMTP id e7mr3462730ank.85.1307829218554; Sat, 11 Jun 2011 14:53:38 -0700 (PDT)
Received: by 10.100.41.5 with HTTP; Sat, 11 Jun 2011 14:53:38 -0700 (PDT)
In-Reply-To: <4DF0DB72.9090601@gmx.de>
References: <878vtgfbs1.fsf@bluewind.rcis.aist.go.jp> <87hb7zdqjo.fsf@bluewind.rcis.aist.go.jp> <4DF0DB72.9090601@gmx.de>
Date: Sat, 11 Jun 2011 17:53:38 -0400
Message-ID: <BANLkTi=9TZU=pguCGhLHY+=GbCNjR6w-dA@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: multipart/alternative; boundary="001636ed7313ffb37304a576b79c"
Cc: public-identity@w3.org, websec@ietf.org, http-auth@ietf.org, saag@ietf.org, Sean Turner <turners@ieca.com>
Subject: Re: [websec] [http-auth] re-call for IETF http-auth BoF
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jun 2011 21:53:42 -0000

I have a different proposal. Lets take the high value authentication use
cases out of the browser completely.

Back in 1993 when Digest was designed, a Web browser could be written in
about ten thousand lines of code. Today a modern browser has a code
footprint that is larger than the memory plus pagefile of machine I used to
work on at CERN.

The modern browser is contaminated with plugins and active code. The worst
disservice that Netscape did to the Web was when they added Javascript to
Navigator unilaterally. Once a program conflates code and data it is never
going to be possible to make it secure.


The alternative would be to have a mini-browser whose sole purpose was to be
used to confirm high value transactions. This could be on the same machine
as the browser or a totally different machine such as a mobile phone.

If we start small with an application whose sole purpose is security we have
a good chance of getting some secure implementations.

This type of approach is not going to be acceptable for every possible
application or for every user. But the same is true of smart-cards, tokens
and the like.


So imagine that we had such a capability (I have a draft, I am just working
on getting preliminary feedback), what would we want HTTP authentication to
look like?

At that point what I would want most from the browser is to be able to
authenticate the browser and the machine it is running on in a manner that
is secure and robust. Cookies try to do this but again the implementation
was shoddy.

Where I think this conversation tends to go off the rails is when people get
the idea that the problem is the lack of an authentication protocol or an
authentication framework API. We have both of them, we have cartloads of
both of them.

The other point where I think the conversation went into a dead end was five
years ago when people started to sniff out the possibility of a something
that turned out to be Facebook. All those people who were wittering on about
'Identity' were not trying to solve the problem of how users authenticate or
manage attributes they were trying to solve the problem of how they could
win the spot in the industry that Facebook now occupies.


The missing like here in my view is the account identifier and the mechanism
by which it is mapped to a service.

The market has already decided that the federated account identifier for
Internet login will look like an email address. So Alice is going to be
something like alice@example.com.


The problem with the current authentication infrastructure is that Alice now
has hundreds of accounts under that account name being maintained all over
the Web and example.com really has no control over how they are used.

One side effect of that lack of control is the type of idiocy I encountered
trying to report a bug in Visual Studio yesterday. First I had to register
to create a Windows Live ID. Which was irritating since I already have
registered several products with Microsoft. But never mind. So I register
for that and then I am told that I have to register my Windows Live account
again and verify my email a second time. Plus give all the same personal
details again.

Now the reason that Microsoft ended up in that situation is quite easy to
see. They have a bunch of divisions run as silos and one does not exchange
information with another. But they do have management degrees coming down
from the top telling one division to use another's dog food.

If my hallam@gmail.com accounts were all managed by gmail.com there would be
no need for any callback mechanism whatsoever. Nor would there have been any
need for the Windows Live account or the crazy register then register all
over again.


If we could accept the simple idea that use of an authentication account
should work the exact same way as use of an email account, this type of
problem can be eliminated.

You don't expect to be able to use gmail.com for email unless gmail.com has
a Web server. So why do people try to write protocols that are designed to
allow people to use gmail.com for authentication when gmail.com is not
involved in the running of the authentication service in question?

v2.39.1 | Report a Bug | By Email | System Status