Re: Sketch of a very simple identification protocol from Henrik Nordstrom on 2008-04-01 (ietf-http-wg@w3.org from April to June 2008)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Tue, 01 Apr 2008 23:33:31 +0200
To: Story Henry <henry.story@bblfish.net>
Cc: HTTP Group Working <ietf-http-wg@w3.org>, buanzo@buanzo.com.ar
Message-Id: <1207085611.6914.44.camel@HenrikLaptop>

tis 2008-04-01 klockan 17:47 +0200 skrev Story Henry:

> http://blogs.sun.com/bblfish/entry/rdfauth_sketch_of_a_buzzword
> 
> It is very simple, and probably could be further simplified. Some  
> people have noted the similarity with HTTPS, and how this could be  
> thought of as an extension to that perhaps [2].

I see more similaries with HTTP Digest authentication than HTTPS..

Actually you would solve some of the problems mentioned like replay
attacks and nonce management if you do things the Digest way with server
nonce, client nonce + server nonce reuse counter.

You cannot shortcut 1+2 unfortunately while keeping RESTful as HTTP does
not allow mixing public and authenticated content on the same URI, and
attempting to do so will mess up the cache model of HTTP. But 1 only
needs to be performed once for the whole duration of the session (which
can be arbitrary long, subject to server controlled constraints).


But I feel this proposal is perhaps trying to layer too much at the same
time. Better to separate identification from authentiation. If you use
pgp for authentication then the identification key in the authentication
should be the pgp identity (which is a pgp key with some name & email
recorded). But it's also worth noting that pgp signatures do embed the
needed information to identify which key has made the signature (but not
it's distribution points).

What this means is supply the foaf identification separately in an
informal header if needed. It also makes it trivial to use other forms
of authentication with no change in the semantic identification. One
example of such alternative authentication would be SSL.

So there is three components

 * Identification. "This is who I claim to be"
 * Authentication. "This is how I prove the above to be true"
 * Authorizatioon. "I know you, access granted"

I would make the identification separate, and use authentication to
prove the identification when needed.

In the end this boils down to the web of trust of the authentication
scheme used.

Another related alternative using OpenPGP for http authentication would
be to use enigform for the requests requiring authentication. Layered
slightly differently, not following the HTTP authentication scheme model
in header names, but conceptually is one..

http://www.buanzo.com.ar/sec/enigform.en.html

Regards
Henrik

Received on Tuesday, 1 April 2008 21:34:34 UTC