IETF Logo Mail Archive

Re: [websec] [saag] [http-auth] re-call for IETF http-auth BoF

"KIHARA, Boku" <bkihara.l@gmail.com> Wed, 15 June 2011 09:44 UTC

Return-Path: <bkihara.l@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6437F11E810E; Wed, 15 Jun 2011 02:44:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.744
X-Spam-Level:
X-Spam-Status: No, score=-2.744 tagged_above=-999 required=5 tests=[AWL=0.255, BAYES_00=-2.599, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id akVtq69ceNwG; Wed, 15 Jun 2011 02:44:37 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by ietfa.amsl.com (Postfix) with ESMTP id C988711E8083; Wed, 15 Jun 2011 02:44:37 -0700 (PDT)
Received: by pzk5 with SMTP id 5so123735pzk.31 for <multiple recipients>; Wed, 15 Jun 2011 02:44:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Z6RqmxXDDYraRdQTDVasR9YrGFA5q0a4p694l5ZaNAo=; b=H7FdSdYBHUTUvljKTe7f23zaDsYNF3Oo5a8HTHnZpK04xY4wR3AI5BdIoM8g5qxBhV aIAjJ5KJ6NMdnvsdUehfh6WB/nZOiDEN/jIiVdfXOi4Nk5zjDw2R210mfOCxPLMBK11G 81Hbnqe/rAaD63Q8CNHQwjlLatQZC7w7NkqUM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=vIgUFkqoK38ynXz9ZFo9A3gtU2j6GXC9cu4wE4baRQUPdK6u0/gr8lrIKnIThqsTmg AZ8vkCBQIDgmeGdWFuQ/kIYGT5T7wIiUuNCyS5hsGQo1x2HcncTJyn9D0s+4PKBjUYj8 AVW4e14RdVPXuxjbNFwa46QMDIksaxjK6QmHU=
MIME-Version: 1.0
Received: by 10.142.43.4 with SMTP id q4mr46697wfq.403.1308131077129; Wed, 15 Jun 2011 02:44:37 -0700 (PDT)
Received: by 10.142.50.6 with HTTP; Wed, 15 Jun 2011 02:44:37 -0700 (PDT)
In-Reply-To: <E1QWLjG-0007nd-EG@login01.fos.auckland.ac.nz>
References: <BANLkTi=9TZU=pguCGhLHY+=GbCNjR6w-dA@mail.gmail.com> <E1QWLjG-0007nd-EG@login01.fos.auckland.ac.nz>
Date: Wed, 15 Jun 2011 18:44:37 +0900
Message-ID: <BANLkTikQ_FHo3_A8fNSDzzGk_puQwDKzTA@mail.gmail.com>
From: "KIHARA, Boku" <bkihara.l@gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, http-auth@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: public-identity@w3.org, websec@ietf.org, saag@ietf.org
Subject: Re: [websec] [saag] [http-auth] re-call for IETF http-auth BoF
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 09:44:38 -0000

2011/6/14 Peter Gutmann <pgut001@cs.auckland.ac.nz>:
> Phillip Hallam-Baker <hallam@gmail.com> writes:
>
>>what would we want HTTP authentication to look like?
>
> I have a suggestion for what it shouldn't look like: Any method that hands
> over the password (or a password-equivalent like a password in hashed form) as
> current browsers do should be banned outright, and anyone who implements
> hand-over-the-password should killed and eaten to prevent them from passing on
> the genes.

+1.

To make the goal clear, let's list what kind of authentication methods
should be avoided. One item is methods that hand over passwords,
mentioned by Peter. Let me add methods whose UI can be imitated and
the result can be forged by malicious sites. Like a padlock icon that
insists the session is secured by TLS inside content area, Is a _secure_
authentication method inside content area truly reliable?

* a method that hands over a password (or a password-equivalent)
* a method whose UI can be imitated by malicious sites.

Of course there might be more items, please append.

# Peter, sorry for missing Ccs.

--
KIHARA, Boku

2011/6/14 Peter Gutmann <pgut001@cs.auckland.ac.nz>:
> Phillip Hallam-Baker <hallam@gmail.com> writes:
>
>>what would we want HTTP authentication to look like?
>
> I have a suggestion for what it shouldn't look like: Any method that hands
> over the password (or a password-equivalent like a password in hashed form) as
> current browsers do should be banned outright, and anyone who implements
> hand-over-the-password should killed and eaten to prevent them from passing on
> the genes.
>
> The only permitted auth.form should be a dynamic, cryptographic mutual auth.
> that authenticates both the client and the server.  There are endless designs
> for this sort of thing around so the precise form isn't too important, as long
> as it's not hand-over-the-password.
>
> Peter.
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

v2.38.3 | Report a Bug | By Email | System Status