W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: [saag] [http-auth] [websec] [kitten] HTTP authentication: the next generation

From: Richard L. Barnes <rbarnes@bbn.com>
Date: Mon, 13 Dec 2010 15:18:33 -0500
Cc: Yoav Nir <ynir@checkpoint.com>, websec <websec@ietf.org>, Marsh Ray <marsh@extendedsubset.com>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <A4C13488-9F0F-4B03-8027-204C1E5736B8@bbn.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Actually, sounds like it might be a handy usage of OAuth.  The whole point of that protocol is to delegate user authorizations.  This is just the case where the user is delegating his entire set of authorizations to another instance of himself.
--Richard



On Dec 13, 2010, at 11:27 AM, Stephen Farrell wrote:

> 
> 
> On 13/12/10 15:29, Yoav Nir wrote:
> 
>>    * A possible solution to the first problem would be to issue
>>      multiple certificates for use in phone, laptop and desktop. But
>>      this makes the management of all these certificates even more
>>      complicated, and increases the attack surface.
> 
> Just a random thought. What if there were a standard way for web server
> apps to bind together different client public keys? E.g. start at home,
> with TLS mutual auth somehow, then go to the standard "bind new device"
> button which returns a shortish URL that the user can cut'n'paste to
> a 2nd device, also using TLS mutual auth, but with the key pair from
> that 2nd device. Then the server could associate a set of client public
> keys with the same account. (The URL could probably also be made only
> usable on that server as well via some server-side symmetric crypto
> maybe.)
> 
> Probably has holes galore, (and/or was tried a decade ago;-) but at
> least the browsers could work as-is. Well, as-is if you assume people
> had a way to generate and manage key pairs easily in their various
> browsers.
> 
> Regardless of the above, I think that if there were a usable way to
> do TLS mutual auth that was unencumbered and worked well, (including
> tackling portability), that'd be great, and even if the probability
> of failing is high, trying for that is maybe worth a shot.
> 
> S.
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
Received on Monday, 13 December 2010 20:19:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:34 GMT