W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

hoba: mixing origin-bound certs and user login

From: Manger, James H <James.H.Manger@team.telstra.com>
Date: Tue, 24 Jul 2012 00:15:47 +1000
To: Paul Hoffman <paul.hoffman@gmail.com>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <255B9BB34FB7D647A506DC292726F6E114F7F016B6@WSMSG3153V.srv.dir.telstra.com>
Stephen & Paul,

Thanks for developing HTTP Origin-Bound Authentication (HOBA) [draft-farrell-httpbis-hoba-01], but I am confused about how it works.

Version -00 leveraged origin-bound certificates (OBC) [http://tools.ietf.org/html/draft-balfanz-tls-obc-01]. Version -01 still mentions OBC (eg "Signing Up … The OBC MUST be sent base64 encoded"), but I get the impression this is an HTTP-layer cert that is *totally separate* from any TLS-layer OBC. Is that true?

C <- S: WWW-Authenticate: HOBA realm="abc", challenge="123"
C -> S: Authorization: HOBA sig=sign(origin+realm+challenge), obc=...

Q. Should you always need a round-trip to collect a challenge from the server, or can an initial HTTP request be authenticated using HOBA? Perhaps signing a timestamp instead of a challenge.

Instead of POSTing a cert (OBC) to /.well-known/hoba/sign-up, the client could just use HOBA. That is, the client generates a key pair & OBC, then includes the OBC in the Authorization header when requesting the sign-up URI.

The request to /.well-known/hoba/sign-up (which can probably be a GET instead of a POST) needs to include the realm, though this could be in the HOBA Authorization header as well.

There might need to be some signal from the server once the sign-up has completed so the client knows it can now repeat the request that caused the WWW-Authenticate response that triggered the sign-up. Using a status code might work (eg 201 Created indicating the creation of an account), but a status code is a bit awkward since you need to distinguish a status code about this page of the sign-up interaction vs the status of the entire sign-up process.
Similarly there needs to be some signal that the sign-up process failed.

Why does logout require a request to /.well-known/hoba/log-out, instead of just no longer including "Authorization: HOBA sig=..."? Is it because only 1 HOBA signature might be used to authenticate in a session, and a session cookie could be used from there? Or is it just generally useful to inform the server?

Servers not allowing TLS session resumption after getting a request to /.well-known/hoba/log-out feels strange (and unnecessary). Is the current TLS session also supposed to be terminated on logout? Can't you logout of your account, but keep browsing the site on the same connection?

Is it the idea that (after an initial sign-up) the HTTP-layer OBC would be used automatically by the client whenever accessing the site? Or automatically, but only after getting a "WWW-Authenticate: HOBA ..." response? Or is the client supposed to display a "Login" button when the user browsers to the site? Or does the client prompt to login on receiving "WWW-Authenticate: HOBA ..."?

James Manger
Received on Monday, 23 July 2012 14:16:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:04 UTC