Re: draft-montenegro-httpbis-multilegged-auth-01 from Yutaka OIWA on 2012-07-09 (ietf-http-wg@w3.org from July to September 2012)

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Mon, 9 Jul 2012 12:01:52 +0900
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAMeZVwtLXcbA_hih2H60wokyQqZfvw_Paru3haMSrhusw914fw@mail.gmail.com>

Dear Alexey,

2012/7/9 Alexey Melnikov <alexey.melnikov@isode.com>:
> I think it is worth investing some WG time into this proposal, because several proposals (+ existing Kerberos) are already multilegged. Otherwise new schemes would need to reinvent this, for example using "sid" directive.

I agree that it is good to have a unified vehicle for managing
sessions for multi-legged auth.

Actually, more than three-quarters of
my proposal is technically a common vehicle for multi-legged
authentication with optional re-use of key-based shared
secret for authorizing multiple requests without full key-exchange.
I think Alexey's SCRAM-SHA1 proposal completely fits
with this model, and I actually thought to propose, to Alexey,
to merge session-managing part of two proposals to one
unified scheme.  One possibility for me is to write (or propose)
an experimental draft for putting SCRAM-SHA1 onto my vehicle,
to see how it works or not.

Gabriel's draft is interesting in the way that connection-based
existing authentication schemes (NTLM and Negotiate)
into HTTP/2.0 world.  These things are declared "broken" in
current HTTP/1.1-bis discussions, and without considerations
it will not be useful for HTTP/2.0.
There should be a debate about how we treat existing connection-based
authentication for future, and if we decide it will survive, we will need
Gabriel's one or similar.

For key-based multi-legged authentications (things similar Digest, including
Mutual and SCRAM-SHA1), at the first glance, it seems not well
designed for key-based, but it is still interesting for me, because
it will show how these things are different, and how the common things
can be picked up.

My intuition at current moment is to have TWO common vehicles for
HTTP-layer multi-legged authentications, one for connection-based and
one for key-based (this is not a strong opinion, just an observation).
I want to continue research on how these two things are related,
to make common things common, and to keep different things different :-)

-- 
Yutaka OIWA, Ph.D.              Leader, Software Reliability Research Group
                             Research Institute for Secure Systems (RISEC)
   National Institute of Advanced Industrial Science and Technology (AIST)
                     Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

Received on Monday, 9 July 2012 03:02:36 UTC