Re: [saag] [websec] [http-auth] re-call for IETF http-auth BoF from Phillip Hallam-Baker on 2011-06-25 (public-identity@w3.org from June 2011)

From: Phillip Hallam-Baker <hallam@gmail.com>
Date: Sat, 25 Jun 2011 15:43:00 -0400
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: julian.reschke@gmx.de, http-auth@ietf.org, public-identity@w3.org, websec@ietf.org
Message-ID: <BANLkTimSwF_OHCcVv1wgC-t8nf7A-vJr=A@mail.gmail.com>

On Tue, Jun 14, 2011 at 12:59 AM, Peter Gutmann
<pgut001@cs.auckland.ac.nz>wrote:

> Phillip Hallam-Baker <hallam@gmail.com> writes:
>
> >what would we want HTTP authentication to look like?
>
> I have a suggestion for what it shouldn't look like: Any method that hands
> over the password (or a password-equivalent like a password in hashed form)
> as
> current browsers do should be banned outright, and anyone who implements
> hand-over-the-password should killed and eaten to prevent them from passing
> on
> the genes.
>

Take a look at the following draft:
https://tools.ietf.org/html/draft-hallambaker-owcp-00

The basic idea is that putting SecurID type schemes on an iPhone is using a
Deep Blue to play pong.

This is orthogonal in that it is really about replacing the two factor
scheme. But a really good backup for two factor could allow us to address
some of the issues with single factor.

For example, browser generates a strong public keypair, uses same to
authenticate to an 'account management service'. This stores single factor
passwords on behalf of the user. Really big ones, like 128 bit worth of
password.

If that type of scheme is used for the 90% of accounts that don't matter to
me (no really, I don't care who uses my NYT account, only they care) we can
reserve the second factor scheme to the accounts and the transactions where
it really matters.

> The only permitted auth.form should be a dynamic, cryptographic mutual
> auth.
> that authenticates both the client and the server.  There are endless
> designs
> for this sort of thing around so the precise form isn't too important, as
> long
> as it's not hand-over-the-password.
>

Agree completely. But that is not the problem that is blocking us here. The
central issue is how to get deployment and that is hard.

If we could maybe get a toehold on this problem by getting a free
replacement for second factor out there that is also better, we can maybe
get a critical mass we can leverage.

-- 
Website: http://hallambaker.com/

Received on Saturday, 25 June 2011 20:20:56 UTC