IETF Logo Mail Archive

[websec] Fwd: [saag] [http-auth] re-call for IETF http-auth BoF

"KIHARA, Boku" <bkihara.l@gmail.com> Wed, 15 June 2011 13:42 UTC

Return-Path: <bkihara.l@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1DA311E8149; Wed, 15 Jun 2011 06:42:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level:
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IJ4rgJIDej6Q; Wed, 15 Jun 2011 06:42:08 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by ietfa.amsl.com (Postfix) with ESMTP id 0DA2E11E8126; Wed, 15 Jun 2011 06:42:08 -0700 (PDT)
Received: by pvh18 with SMTP id 18so328974pvh.31 for <multiple recipients>; Wed, 15 Jun 2011 06:42:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=EcJ17BR2lt3kRBLXsf2Q1auz6i3BQSHDKkxW5H1XMDI=; b=jKIexr+LBGmM7+AE6WF901awmITrRutLH/oeeKcoIqEiERN7etShI3SEemdv/nzKUk uW1WoogBOZN811CuumN2ltLznpkZ+iJBshpSWEiq61Q8GzjloGNm2cbPYk5CaameJdEn yMnTcDan9YO2jlDo82+Vs9v87rTsY7T2OUcnQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=DEcpfC8RnCItC4zwi8LUnSmhKkXyn9J5tPMfHkWaRO2Frw/Sau9UsvK3POfMjhjtZF i2wxR2PoT9N/NAqffA4rJE7NLMtTYn9nk8ChGhrgbFrnvZ0tGnoxQ/9Q69TGDFHWxsWo RnTo2QyzzlMgF1BfWT7FgrxVdM4qB4wuEubao=
MIME-Version: 1.0
Received: by 10.142.226.15 with SMTP id y15mr100697wfg.232.1308145326248; Wed, 15 Jun 2011 06:42:06 -0700 (PDT)
Received: by 10.142.50.6 with HTTP; Wed, 15 Jun 2011 06:42:06 -0700 (PDT)
In-Reply-To: <trg0YszL9F4Q.471l1SVV@smtp.o2.co.uk>
References: <trg0YszL9F4Q.471l1SVV@smtp.o2.co.uk>
Date: Wed, 15 Jun 2011 22:42:06 +0900
Message-ID: <BANLkTi=seeFm0F0TFoA9__uERg_F1L37Tg@mail.gmail.com>
From: "KIHARA, Boku" <bkihara.l@gmail.com>
To: http-auth@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: public-identity-request@w3.org, websec@ietf.org, saag@ietf.org
Subject: [websec] Fwd: [saag] [http-auth] re-call for IETF http-auth BoF
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 13:42:08 -0000

Missing Ccs? Forwarding:

---------- Forwarded message ----------
From: David S. Misell MBCS CISSP <07710380044@o2.co.uk>
Date: 2011/6/15
Subject: RE: [saag] [websec] [http-auth] re-call for IETF http-auth BoF
To: "KIHARA, Boku" <bkihara.l@gmail.com>


One time passwords should still be OK for poor auth methods, There is
a series of SecurID based RFCs
Kind Regards
dave

-original message-
Subject: Re: [saag] [websec] [http-auth] re-call for IETF http-auth BoF
From: "KIHARA, Boku" <bkihara.l@gmail.com>
Date: 15/06/2011 10:45 am

2011/6/14 Peter Gutmann <pgut001@cs.auckland.ac.nz>:
> Phillip Hallam-Baker <hallam@gmail.com> writes:
>
>>what would we want HTTP authentication to look like?
>
> I have a suggestion for what it shouldn't look like: Any method that hands
> over the password (or a password-equivalent like a password in hashed form) as
> current browsers do should be banned outright, and anyone who implements
> hand-over-the-password should killed and eaten to prevent them from passing on
> the genes.

+1.

To make the goal clear, let's list what kind of authentication methods
should be avoided. One item is methods that hand over passwords,
mentioned by Peter. Let me add methods whose UI can be imitated and
the result can be forged by malicious sites. Like a padlock icon that
insists the session is secured by TLS inside content area, Is a _secure_
authentication method inside content area truly reliable?

* a method that hands over a password (or a password-equivalent)
* a method whose UI can be imitated by malicious sites.

Of course there might be more items, please append.

# Peter, sorry for missing Ccs.

--
KIHARA, Boku

2011/6/14 Peter Gutmann <pgut001@cs.auckland.ac.nz>:
> Phillip Hallam-Baker <hallam@gmail.com> writes:
>
>>what would we want HTTP authentication to look like?
>
> I have a suggestion for what it shouldn't look like: Any method that hands
> over the password (or a password-equivalent like a password in hashed form) as
> current browsers do should be banned outright, and anyone who implements
> hand-over-the-password should killed and eaten to prevent them from passing on
> the genes.
>
> The only permitted auth.form should be a dynamic, cryptographic mutual auth.
> that authenticates both the client and the server.  There are endless designs
> for this sort of thing around so the precise form isn't too important, as long
> as it's not hand-over-the-password.
>
> Peter.
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.39.1 | Report a Bug | By Email | System Status