Re: [dix] Re: [Ietf-http-auth] Notes on Web authentication enhancements

[Eliot Lear <lear at cisco.com>]

Eric,
> So, let's take the diagram from my recent mail message:
>
>
> User                      RP                       IdP
> ----                      --                       ---
> Sell me beer ->                                         
>           <- Prove you're 21
>
> IdP, help me!                                   ->
>           <---------- Auth exchange ------------->
>                                          <- Credential
>
> Credential ->              
>                        <- OK
>
>
> The IdP gives the User some credential that he gives the
> RP. That's fine for the first request, but what happens when
> the user wants to make a second request? You clearly don't
> want to go back to the IdP every time. The classic solution
> is for the server to give you some cookie: those cookies
> can obviously be cut-and-pasted from one message to another.
> Even if you make them single-time (evolve them every time)
> there's a window between the cookie delivery (in the HTTP
> response) and the next HTTP request.
>
> Another option is to bypass the cookie thing and just make
> the Credential reusable, but this has the same problem...
>
>   
In order for this replay to be effective the attacker would have had to
compromised the privacy of the exchange or one end of the
communication.  A cookie approach is reasonable where this risk is
reasonable, and can be further mitigated through brief durations or one
time use depending on need.  Do we need more?

Eliot

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix