[dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements

To: EKR <ekr at networkresonance.com>
Subject: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
From: Mark Nottingham <mnot at yahoo-inc.com>
Date: Mon, 26 Jun 2006 12:57:49 -0700
Cc: dix at ietf.org, ietf-http-auth at lists.osafoundation.org
Domainkey-signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns; h=in-reply-to:references:mime-version:content-type:message-id:cc: content-transfer-encoding:from:subject:date:to:x-mailer; b=ifz4cWbIQsHZpuIevO+GqoP3ecLY53v3vjZHlpP5rVaHylxVumhJKIws/SLFwNVh
In-reply-to: <86u067agij.fsf@raman.networkresonance.com>
List-archive: <http://www1.ietf.org/pipermail/dix>
List-help: <mailto:dix-request@ietf.org?subject=help>
List-id: Digital Identity Exchange <dix.ietf.org>
List-post: <mailto:dix@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
References: <20060619220742.40B85222427@laser.networkresonance.com> <10123324-6DF8-4DF9-B9FC-0E3BE0FF363D@yahoo-inc.com> <86lkrnfqv3.fsf@raman.networkresonance.com> <7AAA4939-903E-4A48-BDB3-A06CC476F299@yahoo-inc.com> <86u067agij.fsf@raman.networkresonance.com>
Reply-to: Digital Identity Exchange <dix at ietf.org>

You're right (unless I missed something else);

[2617]

       digest-uri       = "uri" "=" digest-uri-value
       digest-uri-value = request-uri   ; As specified by HTTP/1.1

[2616]

Request-URI = "*" | absoluteURI | abs_path | authority

                                      ^^^^^^^^
A pity.

On 2006/06/26, at 12:00 PM, Eric Rescorla wrote:

Mark Nottingham <mnot at yahoo-inc.com> writes:

On 2006/06/23, at 3:29 PM, Eric Rescorla wrote:

Part of the problem is that the user and the software have
a different view of the RP's identity. The software knows that
C1tibank and Citibank are different, but the user does not.


Fair enough.

Would it be correct to say that HTTP Digest Auth has this property
alreadly (because A2 includes the digest-uri-value)? There are other
attacks that can be made against Digest, of course (e.g., dictionary
against weak passwords), but it's interesting to think of it as
having anti-phishing properties.


I'm not 100% sure. IIRC, the digest-uri-value is only the
path portion, i.e.,

     /example/example.html

rather than

     http://www.example.com/example/example.html

But I could totally be wrong on this.


-Ekr


--
Mark Nottingham
mnot at yahoo-inc.com


_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix

References:
- [dix] Notes on Web authentication enhancements
  - From: Eric Rescorla
- [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
  - From: Mark Nottingham
- [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
  - From: Eric Rescorla
- [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
  - From: Mark Nottingham
- [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
  - From: Eric Rescorla

Prev by Date: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Next by Date: [dix] RE: [Ietf-http-auth] Notes on Web authentication enhancements
Previous by thread: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Next by thread: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Index(es):
- Date
- Thread

[dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.