W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: Fwd: [http-auth] WGLC for draft-ietf-httpauth-hoba-04

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 23 Sep 2014 18:35:59 +1200
Message-ID: <542114CF.3040204@treenet.co.nz>
To: ietf-http-wg@w3.org
Hash: SHA1

On 23/09/2014 9:50 a.m., Mark Nottingham wrote:
> FYI; please have a look over this with an HTTP eye (and note that
> the intended status is Experimental).
> <https://tools.ietf.org/html/draft-ietf-httpauth-hoba-04>
> Cheers,
> Begin forwarded message:
>> From: Yoav Nir <ynir.ietf@gmail.com> Subject: [http-auth] WGLC
>> for draft-ietf-httpauth-hoba-04 Date: 21 September 2014 10:48:58
>> pm PDT To: IETF HTTP Auth <http-auth@ietf.org> Archived-At:
>> http://mailarchive.ietf.org/arch/msg/http-auth/3B6SxPqTEQ6KadDvXMDmqQhZEiQ
Hi all
>> Stephen, Paul, and Michael submitted version -04 about a month
>> ago, and it has received no discussion so far.  The authors are
>> of the opinion that the document is ready for publication, and
>> itís time for the group to weigh in on this subject.
>> This mail begins working group last call for this document.
>> Please take the time to read the draft and send comments to the
>> list about its security, applicability, usefulness, and any other
>> aspect you wish to discuss. For guidance on what to look for, let
>> me quote the following from our charter: The httpauth WG will be
>> a short-lived working group that will document a small number of
>> HTTP user authentication schemes that might offer security
>> benefits, and that could, following experimentation, be widely
>> adopted as standards-track schemes for HTTP user authentication.
>> Each of these RFCs will be Informational or Experimental, and
>> should include a description of when use of its mechanism is
>> appropriate, via a use-case or other distinguishing 
>> characteristics. The WGLC is two weeks long, and ends on October
>> 6th. Please send your reviews as replies to this message.
>> Thanks,
>> Yoav & Matt _______________________________________________ 
>> http-auth mailing list http-auth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/http-auth
> -- Mark Nottingham   http://www.mnot.net/

Looks like the HTTP specific part is almost a duplicate of RFC 6750
OAuth 2.0 Bearer authentication.

One could re-write this specification by doing:

 * reference Bearer specification,
 * add expires= and challenge= (code=?) parameters on www-auth header,
 * add a scope parameter value "hoba:origin",
 * prohibit token re-use/replay,
 * prohibit URI-query and payload delivery mechanisms
 * define section 5 and section 6 using RFC 6749 credential management
parameters and mechanisms.

Doing so would avoid both the need to register a new authentication
scheme, and "well-known" URI space.

Version: GnuPG v2.0.22 (MingW32)

Received on Tuesday, 23 September 2014 06:36:47 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC