W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: HTTP Mutual-auth proposal status / HTTP AUTH meet-up in Anaheim?

From: Anthony Bryan <anthonybryan@gmail.com>
Date: Thu, 24 Dec 2009 15:47:51 -0500
Message-ID: <bb9e09ee0912241247g7924305kc5098909eb92f4d1@mail.gmail.com>
To: y.oiwa@aist.go.jp
Cc: apps-discuss@ietf.org, ietf-http-wg@w3.org
On Thu, Dec 24, 2009 at 6:28 AM, Yutaka OIWA <y.oiwa@aist.go.jp> wrote:
> Our proposed draft spec is available from
>   <http://tools.ietf.org/html/draft-oiwa-http-mutualauth-05>.
> We put a preprint paper on our concept at ArXiv
>   <http://arxiv.org/abs/0911.5230>,
> and a presentation in a past httpbis WG is also available from
>   <http://tools.ietf.org/agenda/74/slides/httpbis-3.pdf>,
> I appreciate your reading and comments on those documents.

Hi Yutaka,

I can not comment on the technical nature of your draft, but have a
few suggestions that might make some sentences flow better. I
capitalized words that I changed to draw notice to them, but these
would be lowercase in the corrected text.
Since I am not that familiar with what you are doing, make sure that
these suggestions do not change the intended meaning of your text.
They are mostly number or tense changes.

4.6 and 5, p17 diagram, INPUTTED not inputed

Unlike THE Basic and Digest HTTP access authentication protocol
[RFC2617], THIS protocol ensures that THE server knows the user's
entity (encrypted password) upon successful authentication.

...successful authentication to steal THE user's sensitive information,

THIS protocol prevents such attacks by providing users a way to...

If there is no matching user found, the server SHOULD construct a fake
w_B value, and let the protocol GO ON? CONTINUE? by sending A 401-B1

If the validation has failed, it means that the authentication has
failed. (remove BEEN from has been failed)

In a response to a req-B1 message, when C has received a 401-B0
message, it means that the authentication has failed, possibly due to
the wrong password BEING given. (remove BEEN from has been failed,
remove THAT from due to that the wrong password, change has been given
to BEING given)

If the verification has SUCCEEDED, C will process the body of the message.

Both peers SHOULD reject any invalid UTF-8 sequences which CAUSE
decoding ambiguities

*  C HAS not sent the same value in the same session.

Step 7:  Check whether there is an available sid for the
authentication realm you EXPECT.

   Any kind of response OTHER than THOSE shown in THE above procedure SHOULD be
   interpreted as fatal communication error, and in such cases user
   clients MUST NOT process any data (contents and other content-related
   headers) sent from the server.

7.1 The value of this field MUST be a  string THAT contains an
absolute URL location.

use of this header with 200-optional-B0 messages IS not recommended.

7.2 The value of this field MUST be a string THAT contains an absolute
URL location.

This FIELD SHOULD only be used with 200-B4 messages.

7.3 This FIELD will be used with 200-B4 messages.

If this condition DOES not hold, the server MUST retry with another
value of s_B.

Just like Basic and Digest access authentication protocol, Mutual
authentication protocol supports multiple, separate authentication
realms to be set up inside each HOST.

Depending on the "path" parameters given in the "401-B1" message (see
Section 4), There may be several CANDIDATES... (lowercase there)

In this case, it is difficult for the authenticating server to acquire
the TLS key information which IS? used between the client and the

In the Mutual authentication protocol, a session represented by a sid
is generated by... (lowecase by)

The client MAY send more than one REQUEST using a single session
specified by the sid.

In addition, for each SESSION,...

When the user INPUTS the username and password, the client resends the
request with a req-A1 header.

If the validation FAILS?, the client MUST NOT process any content sent
with the message, including the body part.

If user-names have to BE kept secret against eavesdropping, the server
must use full-scheme-type auth-domain parameter.

Server-side STORAGE of user passwords IS advised...

(( Anthony Bryan ... Metalink [ http://www.metalinker.org ]
  )) Easier, More Reliable, Self Healing Downloads
Received on Thursday, 24 December 2009 20:48:25 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:52 UTC