[dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements

To: dix at ietf.org, ietf-http-auth at lists.osafoundation.org
Subject: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
From: "Stephan Fowler" <stephan at clinksystems.com>
Date: Mon, 26 Jun 2006 16:59:11 +0100
Cc:
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=T7ISKbigHAUMPi65DdZMzYtTCt0R7VdOQADk6BvuJGvmXEYp0jiKGc6qTNttI+bwmX9tBzdHygIVXbWQaRzHGkqiX8NRhKTTpI9IiQgk6/d5PbR4ia+gT67Li3R0ULSJWx4p/PAzXXNTrxpPFEhgBthBeroOHSfJHz7OZm/dJ0I=
In-reply-to: <20060619220742.40B85222427@laser.networkresonance.com>
List-archive: <http://www1.ietf.org/pipermail/dix>
List-help: <mailto:dix-request@ietf.org?subject=help>
List-id: Digital Identity Exchange <dix.ietf.org>
List-post: <mailto:dix@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
References: <20060619220742.40B85222427@laser.networkresonance.com>
Reply-to: Digital Identity Exchange <dix at ietf.org>

BARE CRYPTOGRAPHIC IDENTIFIER
After username/password, probably the most familiar sort of
remote identifier is a bare public key. The way this is
used is familiar from SSH: the user generates a public key
and provides the key (or fingerprint) to the relying party
(or parties). He can then sign with the private key to
prove possession.
...

CRYPTOGRAPHIC BINDING INSIDE HTTP
If you're using public key for authentication, the natural approach is
to simply have the credentials bound directly to the HTTP PDUs they
vouch for. So, the PDU would contain a signature line that covered the
request itself. This is what, for example, S-HTTP does.


Notwithstanding Phil's point about protocol issues being out of scope,
which is likely correct, I'll nevertheless mention a recent
authentication protocol called HTTPsec:
http://httpsec.org/protocol/1.0/
This provides unilateral or mutual authentication using RSA public
keys, or symmetric keys if pre-shared, applicable to arbitrary
messages. It's somewhat "lighter" than S-HTTP; the latter encapsulates
the entire message, whereas HTTPsec adds a single header containing  a
MAC, amongst other directives. Obviously, it requires extra code at
client- and server-side.

Stephan Fowler

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix

Follow-Ups:
- [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
  - From: Robert Sayre

References:
- [dix] Notes on Web authentication enhancements
  - From: Eric Rescorla

Prev by Date: [dix] fyi: SAMLv2 Lightweight Web Browser SSO Profile
Next by Date: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Previous by thread: Re: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Next by thread: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Index(es):
- Date
- Thread

[dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.