W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2011

Re: [saag] [websec] [kitten] HTTP authentication: the next generation

From: Ben Laurie <benl@google.com>
Date: Fri, 7 Jan 2011 12:14:32 +0000
Message-ID: <AANLkTi=zrMteYq_mkPfGvDhBFLs4SbfjaT6pH3Oct_7D@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: Robert Sayre <sayrer@gmail.com>, "Roy T. Fielding" <fielding@gbiv.com>, websec <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 7 January 2011 08:24, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:
> [Culling down the mailing lists]
>
> Hi Ben,
>
> No, RFC 4279 should not be used with (a hash of) human-memorable passwords,
> because it would be vulnerable to dictionary attacks. See
> http://tools.ietf.org/html/rfc4279#section-7.2. SRP, EKE and similar schemes
> should be used instead.

Fair point, though there seem to be at least political barriers to
using SRP, and EKE and friends have other issues.

>
> Thanks,
>        Yaron
>
> On 01/06/2011 05:31 PM, Ben Laurie wrote:
> [...]
>
>>
>>
>> Two comments (one really being a response to Roy):
>>
>> 1. The IETF has fixed the problem, but no-one is using the fix - perhaps
>> because it is not clear that it is the fix. I speak of RFC 4279, TLS
>> pre-shared keys. These could be derived from a hash of the password and
>> the site name, for example, and thus provide secure mutual
>> authentication despite password reuse.
>>
> [...]
>
Received on Friday, 7 January 2011 12:15:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:36 GMT