Re: Fwd: [http-auth] WGLC for draft-ietf-httpauth-hoba-04

• From: Amos Jeffries <squid3@treenet.co.nz>
• Date: Tue, 23 Sep 2014 18:35:59 +1200
• To: ietf-http-wg@w3.org
• Message-ID: <542114CF.3040204@treenet.co.nz>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 23/09/2014 9:50 a.m., Mark Nottingham wrote:
> FYI; please have a look over this with an HTTP eye (and note that
> the intended status is Experimental).
> 
> <https://tools.ietf.org/html/draft-ietf-httpauth-hoba-04>
> 
> Cheers,
> 
> 
> Begin forwarded message:
> 
>> From: Yoav Nir <ynir.ietf@gmail.com> Subject: [http-auth] WGLC
>> for draft-ietf-httpauth-hoba-04 Date: 21 September 2014 10:48:58
>> pm PDT To: IETF HTTP Auth <http-auth@ietf.org> Archived-At:
>> http://mailarchive.ietf.org/arch/msg/http-auth/3B6SxPqTEQ6KadDvXMDmqQhZEiQ
>>
>>
>> 
Hi all
>> 
>> Stephen, Paul, and Michael submitted version -04 about a month
>> ago, and it has received no discussion so far.  The authors are
>> of the opinion that the document is ready for publication, and
>> it’s time for the group to weigh in on this subject.
>> 
>> This mail begins working group last call for this document.
>> Please take the time to read the draft and send comments to the
>> list about its security, applicability, usefulness, and any other
>> aspect you wish to discuss. For guidance on what to look for, let
>> me quote the following from our charter: The httpauth WG will be
>> a short-lived working group that will document a small number of
>> HTTP user authentication schemes that might offer security
>> benefits, and that could, following experimentation, be widely
>> adopted as standards-track schemes for HTTP user authentication.
>> Each of these RFCs will be Informational or Experimental, and
>> should include a description of when use of its mechanism is
>> appropriate, via a use-case or other distinguishing 
>> characteristics. The WGLC is two weeks long, and ends on October
>> 6th. Please send your reviews as replies to this message.
>> 
>> Thanks,
>> 
>> Yoav & Matt _______________________________________________ 
>> http-auth mailing list http-auth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/http-auth
> 
> -- Mark Nottingham   http://www.mnot.net/
> 

Looks like the HTTP specific part is almost a duplicate of RFC 6750
OAuth 2.0 Bearer authentication.

One could re-write this specification by doing:

 * reference Bearer specification,
 * add expires= and challenge= (code=?) parameters on www-auth header,
 * add a scope parameter value "hoba:origin",
 * prohibit token re-use/replay,
 * prohibit URI-query and payload delivery mechanisms
 * define section 5 and section 6 using RFC 6749 credential management
parameters and mechanisms.

Doing so would avoid both the need to register a new authentication
scheme, and "well-known" URI space.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUIRTPAAoJELJo5wb/XPRjHtcH/RSHv9Zg9YUnZw3q2Q/lsobX
xa8cvK1LrEjrtlEBGG+R3I8G5y4WDNqhowEsbHk1hMv2Kn+WN1ZCmzSM32KWBd+X
HalPfFlWvIctKd/M2uVe9DBXJS6GLVAGR1YhY2siBMN3G2umOgf2TCgS70NnXwVq
W2o7xhvYwBpX1NjrxOEQTYG7B7HDYUM1oVXGjXMTjt0GhAopIS8xXXkXrxqS82kG
gdZQ1EFfyci3TJD17zvbpGBhTEjT/ZTD5B8DY/2trdLq3MZ7FvSDBtoUwi1Ornm8
EMFnr/8kldKG+77xqSNrfBlBnUqWfEI+epzFqKBD9wdaHVn0JE9RR+XL/7SngN0=
=gNel
-----END PGP SIGNATURE-----

Received on Tuesday, 23 September 2014 06:36:47 UTC