headsup: "passport authentication" from Marc Slemko on 2001-10-25 (ietf-http-wg@w3.org from October to December 2001)

From: Marc Slemko <marcs@znep.com>
Date: Thu, 25 Oct 2001 00:02:36 -0700 (PDT)
To: http-wg@cuckoo.hpl.hp.com
Message-ID: <Pine.BSF.4.20.0110242351540.880-100000@alive.znep.com>

Not really ontopic since it has nothing to do with any HTTP standards, but
in terms of real world behaviour... just a FYI in case people start
seeing odd things as a result of this.

IE6 has a new "passport authentication" scheme built in (same level as
basic, digest, etc.). While IE6 has been around for a while, MS is only
just now (night before XP launch, of course) deploying upgraded passport
servers that use it.

It looks to be somewhat of a perversion of the spec (sure, no matter how they
do it, it isn't "per spec" since the spec doesn't cover such a thing, but
some ways completely violate the whole concept of HTTP more than others),
but that isn't new.

The server sends something like:

WWW-Authenticate: Passport1.4 lc=1033,id=3,ru=http://registernet.passport.com/mobilepin.srf%3Fru%3Dhttp://memberservices.passport.com/memberservice.srf%253Flc%253D1033%26lc%3D1033%26cbid%3D486%26id%3D3%26cb%3D%26lc%3D1033,tw=20,kv=2,ct=1003992089,cb=,cbid=486,ems=1,ver=2.1.0068.1,tpf=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,cbid=486

to request authentication...only it doesn't send it with a 401,
but with a 302, presumably so non-IE6 browsers will ignore it and
get the "normal" login swizzling process.

Then the browser magically figures out to authenticate (built into XP, of
course) and sends a "normal" authorization header:

Authorization: Passport1.4 from-PP='t=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

(identifiers X'ed out)

The odd thing I have seen, is that if I authenticate in one browser
window, then open a second window, I am not always authenticated in the
second browser window. That smells of some really ugly violation of
the concept of how HTTP is "supposed to work".

I'd be quite interested if anyone has any pointers to docs on the
protocol, nothing obvious on MS's site aside from a few references
to it. I certainly agree that nothing out there really satisfies
the most important needs for authentication on the web, but am far from
convinced that this MS attempt adds any value at all.

Anyway, just FYI. God, what an awful ugly massive security hole MS's
passport implementation is. But this isn't the place for that rant...

Received on Thursday, 25 October 2001 08:04:33 UTC