Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation
John C Klensin <john-ietf@jck.com> Tue, 14 December 2010 19:22 UTC
Return-Path: <john-ietf@jck.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 345883A6EBD; Tue, 14 Dec 2010 11:22:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.587
X-Spam-Level:
X-Spam-Status: No, score=-102.587 tagged_above=-999 required=5 tests=[AWL=0.012, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gpbgKEsWC2f5; Tue, 14 Dec 2010 11:22:12 -0800 (PST)
Received: from bs.jck.com (ns.jck.com [209.187.148.211]) by core3.amsl.com (Postfix) with ESMTP id 7A8CE3A6EA8; Tue, 14 Dec 2010 11:22:11 -0800 (PST)
Received: from [127.0.0.1] (helo=localhost) by bs.jck.com with esmtp (Exim 4.34) id 1PSaTT-00003D-Bz; Tue, 14 Dec 2010 14:23:47 -0500
Date: Tue, 14 Dec 2010 14:23:45 -0500
From: John C Klensin <john-ietf@jck.com>
To: Steven Bellovin <smb@cs.columbia.edu>
Message-ID: <9EC2FC766CCD8D29F96C688A@PST.JCK.COM>
In-Reply-To: <BA6B6B0B-C7D8-4CCB-88EB-946F51962B7C@cs.columbia.edu>
References: <4D02AF81.6000907@stpeter.im> <p06240809c928635499e8@[10.20.30.150]> <ADDEC353-8DE6-408C-BC75-A50B795E2F6C@checkpoint.com> <78BD0B98-0F20-478B-85F1-DBB45691EB0D@padl.com> <4D0479E3.4050508@gmail.com> <4D04D7D6.4090105@isode.com> <A23730A9-728B-4533-96D7-0B62496CC98A@checkpoint.com> <4D051731.1020400@isode.com> <4D054041.7010203@cisco.com> <0435D11C-DF55-464D-B23F-F5D114DEE2C3@checkpoint.com> <2229.1292235952.971571@puncture> <4D05FB8F.3070804@qbik.com> <2229.1292239384.281779@puncture> <96517E19-5DC7-47A0-8C21-C710F6F8F772@tzi.org> <5D5AF795-22AB-4726-B791-3706693466C3@checkpoint.com> <4D063CA5.8060907@gmail.com> <BA6B6B0B-C7D8-4CCB-88EB-946F51962B7C@cs.columbia.edu>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Mailman-Approved-At: Wed, 15 Dec 2010 08:03:48 -0800
Cc: Common@core3.amsl.com, General discussion of application-layer protocols <apps-discuss@ietf.org>, Yoav Nir <ynir@checkpoint.com>, websec <websec@ietf.org>, - Next Generation <kitten@ietf.org>, Yaron Sheffer <yaronf.ietf@gmail.com>, http-auth@ietf.org, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, saag@ietf.org
Subject: Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2010 19:22:14 -0000
--On Monday, December 13, 2010 13:57 -0500 Steven Bellovin <smb@cs.columbia.edu> wrote: >... >> Just like the phrase "I am not a lawyer" is always followed >> by amateur legal advice (I know that for sure, I've done it >> myself), the same goes for "I am not a UI expert". >> >> Two comments: >> >> - There are in fact a few security-usability experts. I don't >> know if any of them participate in the IETF. This is an >> emerging research field, see e.g. >> http://oreilly.com/catalog/9780596008277. >> >> - (I am not a UI expert, but...) Devising UI cues is >> extremely difficult. People will gladly enter their password >> when the web site displays a JPEG-rendered padlock icon. In >> fact *legitimate* sites have been known to display such >> icons, strange as it may sound. > > Security and usability *is* one of my research areas. I agree > with Yoav: there are many problems with use of client-side > certificates. In general, I like them -- the only way to log > in to the computers I control is with public-key authenticated > SSH -- but there are very good reasons why they are seldom > used. Private key storage and transport is the major one, but > key issuance and recovery from lost or stolen keys are serious > issues as well. The security community has made that worse by > layering heavyweight policies and procedures on top of the > certificate issuance process, even when the value of the > resource being protected isn't high enough to justify it. > > (I've been worrying about usability issues for a long time. > There was one I-D that I dealt with as AD that I abstained on > -- I wouldn't vote "no-ob" because I did object, but I had no > better suggestion than "go back and start over". While > dealing with that document, I emailed one of the top usability > people and asked > > Do you know of papers on the difficulty of administering > complex access control lists? I'm trying to convince people > that a seriously-complex scheme will lead to massive > security failures, because no one will be able to get the > ACLs right. > > So yes, there are people in the IETF who worry about UI > issues.) Steve, I worry too. And, while I effectively dropped out of the field --in terms of making any useful contributions-- about 25 years ago, I do try to track the literature (without great success). Observations: (1) The folks who taught me about what was then called "human factors in computing" in the 70s suggested that one key issue was to design from error/failure states backwards to both detailed system design and UI. If one could not do an analysis of failure states, then one wasn't ready to design the interfaces of the system. If the right information is not available in the right place to produce a coherent message and make it actionable, patching things on just don't work. From that perspective, it is as hard or harder to graft a good UI onto a system that wasn't designed with UIs in mind as it is to graft good security onto a system that wasn't designed for that. A large number of modern systems --and IETF protocols-- fail on both dimensions. (2) Even without any research, it should be obvious to us all that presenting a user with a dialog box with a string of text that might be informative to an expert but is pure gibberish to the user, followed by some choice, is not going to produce good results. The question of whether the choice in that situation should be a pair of boxes labeled "yes" or "no" (or equivalent) or a single box labeled "ok" (or equivalent) is, IMO, of purely academic concern. Unless the user can make an informed decision, decision/dialog boxes or other types of questions aren't about UIs but about attempted sops for the conscience of the implementer. Almost everything I've seen that attempts to deal with certificate validation failures falls into that general category. Things would be considerable better if we never had a false negative (bad certs could just be rejected, action dependent on them stopped, and the user informed, not asked), but that seems unlikely at least as long as we have relatively simple cases like administrative failures to install new certs before old ones expire. (3) I think the above suggests that your "seriously complex scheme" criterion is much too high a bar. Even a moderately complex scheme that depends on lots of factors or subtle interactions will fail. If the ACLs don't get people, then user inability to deal with explanations of the failures will. (4) The problem with your comments, and even more so the problem with mine above, is that they are not usefully actionable in the IETF. We could round up a collection of UI experts to look at some of these things and have them shake their heads and say "royal mess you have gotten yourselves into". That, like your comments and I hope mine, would be true... and equally useless vis-a-vis digging ourselves out. I hope this isn't as hopeless as it feels to me sometimes, but... do you have suggestions? john
- Re: [apps-discuss] HTTP authentication: the next … Mark Nottingham
- [apps-discuss] HTTP authentication: the next gene… Peter Saint-Andre
- Re: [apps-discuss] [saag] HTTP authentication: th… Paul Hoffman
- Re: [apps-discuss] [kitten] HTTP authentication: … Nicolas Williams
- Re: [apps-discuss] [saag] HTTP authentication: th… Henry B. Hotz
- Re: [apps-discuss] [websec] HTTP authentication: … Marsh Ray
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Josh Howlett
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Alexey Melnikov
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Josh Howlett
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Luke Howard
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yaron Sheffer
- Re: [apps-discuss] [saag] HTTP authentication: th… Yoav Nir
- Re: [apps-discuss] [saag] HTTP authentication: th… Yoav Nir
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yoav Nir
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yoav Nir
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Alexey Melnikov
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Eliot Lear
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Roy T. Fielding
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Cridland
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Cridland
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Eliot Lear
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Carsten Bormann
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Eliot Lear
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Cridland
- Re: [apps-discuss] [websec] HTTP authentication: … Julian Reschke
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Adrien de Croy
- Re: [apps-discuss] [saag] [kitten] HTTP authentic… Alan DeKok
- Re: [apps-discuss] [websec] [saag] HTTP authentic… Ben Laurie
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Raggett
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Marsh Ray
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Tim Morgan
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Yaron Sheffer
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yoav Nir
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Yoav Nir
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Yoav Nir
- Re: [apps-discuss] [http-auth] [websec] [saag] [k… Henry B. Hotz
- Re: [apps-discuss] [http-auth] [websec] [saag] HT… Henry B. Hotz
- Re: [apps-discuss] [websec] [saag] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Nicolas Williams
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Nicolas Williams
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Steven Bellovin
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … John C Klensin
- Re: [apps-discuss] [http-auth] [websec] HTTP auth… Tim Morgan
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … John C Klensin
- Re: [apps-discuss] [saag] [kitten] HTTP authentic… Joel Jaeggli
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … der Mouse
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… der Mouse
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… Tim
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Adrien de Croy
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Nathan
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Adrien de Croy
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Josh Howlett
- Re: [apps-discuss] [websec] [saag] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Jeffrey Hutzelman
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Ben Laurie
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … David Morris
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Robert Sayre
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Tim
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [websec] [saag] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … der Mouse
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Blaine Cook
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Blaine Cook
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Blaine Cook
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Theodore Tso