[dix] RE: [Ietf-http-auth] Notes on Web authentication enhancements

To: "Mark Nottingham" <mnot at yahoo-inc.com>, "EKR" <ekr at networkresonance.com>
Subject: [dix] RE: [Ietf-http-auth] Notes on Web authentication enhancements
From: "Hallam-Baker, Phillip" <pbaker at verisign.com>
Date: Mon, 26 Jun 2006 14:02:58 -0700
Cc: dix at ietf.org, ietf-http-auth at lists.osafoundation.org
List-archive: <http://www1.ietf.org/pipermail/dix>
List-help: <mailto:dix-request@ietf.org?subject=help>
List-id: Digital Identity Exchange <dix.ietf.org>
List-post: <mailto:dix@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
Reply-to: Digital Identity Exchange <dix at ietf.org>
Thread-index: AcaZWwOV5V8/rK+MSfuCriDTigl2/AACJWRg
Thread-topic: [Ietf-http-auth] Notes on Web authentication enhancements

I have not read any of the patents on this for reasons that will be familiar.

If I was going to revisit Digest I would at the very least include an ephemeral D-H key into the mix so that the digest value was at a minimum secure against a brute force attack by a man in the middle.

Has every avenue to that end been encumbered?

> -----Original Message-----
> From: ietf-http-auth-bounces at osafoundation.org 
> [mailto:ietf-http-auth-bounces at osafoundation.org] On Behalf 
> Of Mark Nottingham
> Sent: Monday, June 26, 2006 3:58 PM
> To: EKR
> Cc: dix at ietf.org; ietf-http-auth at lists.osafoundation.org
> Subject: Re: [Ietf-http-auth] Notes on Web authentication enhancements
> 
> You're right (unless I missed something else);
> 
> [2617]
> >        digest-uri       = "uri" "=" digest-uri-value
> >        digest-uri-value = request-uri   ; As specified by HTTP/1.1
> 
> [2616]
> > Request-URI    = "*" | absoluteURI | abs_path | authority
>                                        ^^^^^^^^ A pity.
> 						
> 
> On 2006/06/26, at 12:00 PM, Eric Rescorla wrote:
> 
> > Mark Nottingham <mnot at yahoo-inc.com> writes:
> >
> >> On 2006/06/23, at 3:29 PM, Eric Rescorla wrote:
> >>> Part of the problem is that the user and the software have a 
> >>> different view of the RP's identity. The software knows that 
> >>> C1tibank and Citibank are different, but the user does not.
> >>
> >> Fair enough.
> >>
> >> Would it be correct to say that HTTP Digest Auth has this property 
> >> alreadly (because A2 includes the digest-uri-value)? There 
> are other 
> >> attacks that can be made against Digest, of course (e.g., 
> dictionary 
> >> against weak passwords), but it's interesting to think of it as 
> >> having anti-phishing properties.
> >
> > I'm not 100% sure. IIRC, the digest-uri-value is only the path 
> > portion, i.e.,
> >
> >      /example/example.html
> >
> > rather than
> >
> >      http://www.example.com/example/example.html
> >
> > But I could totally be wrong on this.
> >
> >
> > -Ekr
> >
> >
> 
> --
> Mark Nottingham
> mnot at yahoo-inc.com
> 
> 
> 
> _______________________________________________
> Ietf-http-auth mailing list
> Ietf-http-auth at osafoundation.org
> http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth
> 
> 

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix

Prev by Date: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Next by Date: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements
Previous by thread: Re: [dix] RE: [Ietf-http-auth] Notes on Web authentication enhancements
Next by thread: [dix] Looks like WEA is schedule Friday morning at 9 AM
Index(es):
- Date
- Thread

[dix] RE: [Ietf-http-auth] Notes on Web authentication enhancements

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.