Re: [http-auth] [websec] HTTP authentication: the next generation
Nicolas Williams <Nicolas.Williams@oracle.com> Tue, 14 December 2010 22:22 UTC
Return-Path: <Nicolas.Williams@oracle.com>
X-Original-To: http-auth@core3.amsl.com
Delivered-To: http-auth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DE6E228C142 for <http-auth@core3.amsl.com>; Tue, 14 Dec 2010 14:22:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.547
X-Spam-Level:
X-Spam-Status: No, score=-6.547 tagged_above=-999 required=5 tests=[AWL=0.051, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1nxGfl6rwS8G for <http-auth@core3.amsl.com>; Tue, 14 Dec 2010 14:22:58 -0800 (PST)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 9C7B928C0E6 for <http-auth@ietf.org>; Tue, 14 Dec 2010 14:22:58 -0800 (PST)
Received: from rcsinet13.oracle.com (rcsinet13.oracle.com [148.87.113.125]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id oBEMObtQ018182 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 14 Dec 2010 22:24:38 GMT
Received: from acsmt355.oracle.com (acsmt355.oracle.com [141.146.40.155]) by rcsinet13.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id oBEMOSFP025906; Tue, 14 Dec 2010 22:24:32 GMT
Received: from abhmt005.oracle.com by acsmt353.oracle.com with ESMTP id 853956621292365441; Tue, 14 Dec 2010 14:24:01 -0800
Received: from oracle.com (/10.135.188.51) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 14 Dec 2010 14:24:00 -0800
Date: Tue, 14 Dec 2010 16:23:59 -0600
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Marsh Ray <marsh@extendedsubset.com>
Message-ID: <20101214222358.GV1091@oracle.com>
References: <4D02BDB3.7060801@extendedsubset.com> <20101214171250.GB5009@sentinelchicken.org> <20101214175821.GI1091@oracle.com> <20101214184436.GC5009@sentinelchicken.org> <20101214185958.GM1091@oracle.com> <7B6C92DD-67A8-4DAC-8703-41B94990DD0E@jpl.nasa.gov> <20101214200647.GN1091@oracle.com> <20101214202904.GD5009@sentinelchicken.org> <20101214205651.GR1091@oracle.com> <4D07E60B.20808@extendedsubset.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4D07E60B.20808@extendedsubset.com>
User-Agent: Mutt/1.5.20 (2010-03-02)
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] [websec] HTTP authentication: the next generation
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2010 22:23:00 -0000
On Tue, Dec 14, 2010 at 03:47:55PM -0600, Marsh Ray wrote: > On 12/14/2010 02:56 PM, Nicolas Williams wrote: > >Well, let's see, we have: > > > > - HTTPS with user certs. > > > > Not used because... people tend to put useful information in user > > certs, and independently tend to need multiple validation paths, > > resulting in a multiplicity of certs, resulting in difficulty > > selecting one credential or another in any given context. End > > result: ick. > > Another is perhaps browsers are unwilling to authenticate with a > client cert that they can't validate themselves. Which effectively > means a browser has to trust the site's custom CA, or the site has > to get its users into some kind of a commercial arrangement. Not > very flexible. > > But aren't these mostly solvable implementation details? Not just. They're also deployment problems. If everyone were satisfied with RP-only, self-signed user certs then the only problem left is that the user might, for privacy reasons, still want to have different certs for different RPs. The moment the user has multiple user certs you get into credential selection difficulties. But I don't think it'll be easy to wean anyone from using certs with meaningful content... And that's a huge problem because by itself it leads to multiple user certs. > > - DIGEST-MD5. > > > > Legacy. MD5. Ancient. Not federated. Ugly browser dialogs. End > > of story. > > Other than the recent upward trend towards openid, there didn't seem > to be much demand for federated auth. I would say that ABFAB WG exists because there is demand for federated auth. Same for OAuth and certain SAML profiles. > As for the ugly browser dialogs, is there anyone other than the > browser vendors to blame? They're certainly part of the problem, but browser vendors stopped improving this situation when everyone stopped using DIGEST-MD5. > > - HTTP/Negotiate > > > > Currently used only with Kerberos and NTLM. Kerberos could be > > deployed on an Internet scale, but like a one-root PKIX PKI, never > > will be. No need to explain why NTLM isn't taking over the Internet. > > Yeah, it's not what people want. > > Theory aside, it creeps people out that they would be be strongly > authenticated everywhere they surf. I'm just not going to sign up > with my drivers license or US passport officially legal credentials > to leave a comment on some random blog. I'm not necessarily seeking > anonymity either. There is that too. Users *must* have control over when they are authenticated and _what_ credential is used. The way I picture it is that there should be an "authenticate" or "login" button on wbpages, which when clicked, triggers browser chrome credential selection GUI (note, note necessarily a dialog -- think more of the way FF tells you that you're offline, for example), with the user's last choice for this site pre-selected, the user clicks OK and if necessary enters whatever password/passphrase/PIN might be needed. > Schemes that expect users to sign up to a central registry are just > not what people want. Well, not all the time nor for all services. With that caveat (which I think you meant to state anyways) I strongly agree. > What users seem to want is an easily-remembered password they can > use all over the place. Hopefully we can get them something better. Plus something that works when they don't have their password wallet with them (e.g., when using hotel business center kiosks). > What most web sites seem to want is an authentication scheme that > they can customize according to their style and needs and never > denies access to anyone plausibly legitimate. Often they don't even > want the user to have to log in more than once, ever. They don't Modulo session refresh. > want the user to see another 50ms of latency or bear another 10% > server CPU overhead for TLS. They want to be able to load Javascript > from 5 different affiliates and marketing companies. And they want the whole thing to not cost very much. HTML form POSTing costs providers very little. And the marginal cost for users is also low. The total cost for users is an unusable system. > > Given recent work on HTTP/Negotiate and the ABFAB WG and possible new > > mechanisms from the KITTEN WG, we'll have many more mechanisms than > > just Kerberos and NTLM for use in HTTP/Negotiate. I'm not sure that > > they'll be used extensively through HTTP/Negotiate -- that will > > depend on what else we do in terms of HTTP auth NG, no? > > Will any of that change what we think of as the barriers to adoption? > > I.e., is the problem or solution really at the HTTP protocol layer? See my other post today on constraints. > > Also, HTTP/Negotiate provides no generic way to customize credential > > selection and credential initiation forms/dialogs. Such > > customization will generally have to be mechanism-specific -- and I > > expect that to be true for all cases where we use pluggable security > > frameworks. > > > >Am I missing any other existing HTTP authentication schemes? > > Well, there's the one used by the vast majority of web sites: > > Initial HTML form POST of plaintext username and password and > subsequent session cookies (occasionally within required TLS). That's NOT an HTTP authentication scheme. That's an application-layer authentication scheme for applications that a) use HTTP and b) are browser-based. I realize that from a user's perspective this distinction is irrelevant and way too subtle for them to care. But for us it should matter a lot. See my constraints post. > It's infinitely customizable by the web site and supported > universally by browsers and web app frameworks. > > If we want to propose something that might be widely used, that's > what we're up against. Yes. > To review, the main problems that might motivate a willingness to change: > * vulnerable to spoofing Because of weak authentication of servers to users. > * vulnerable to script and cookie origin badness I believe these are orthogonal to the problem at hand. > * doesn't integrate naturally with non-browser clients Or at all. > * doesn't integrate naturally with federated, single sign on, > multi-factor, or any other auth schemes Or at all. > * doesn't have a standard way to log in, log out, change password, > enroll, etc. Yup. > * not necessarily a natural fit for the latest generation of phones > and tablets which are trending away from keyboard-oriented > interaction > > Missing any? Yes: it's completely unmanageable for users, leading to password re-use and what not. Nico --
- [http-auth] HTTP authentication: the next generat… Peter Saint-Andre
- Re: [http-auth] [apps-discuss] HTTP authenticatio… Mark Nottingham
- Re: [http-auth] [saag] HTTP authentication: the n… Paul Hoffman
- Re: [http-auth] [websec] HTTP authentication: the… Marsh Ray
- Re: [http-auth] [saag] HTTP authentication: the n… Henry B. Hotz
- Re: [http-auth] [kitten] HTTP authentication: the… Nicolas Williams
- Re: [http-auth] [saag] HTTP authentication: the n… Yoav Nir
- Re: [http-auth] [saag] HTTP authentication: the n… Yoav Nir
- Re: [http-auth] [kitten] [saag] HTTP authenticati… Luke Howard
- Re: [http-auth] [kitten] [saag] HTTP authenticati… Yoav Nir
- Re: [http-auth] [apps-discuss] [kitten] [saag] HT… Yoav Nir
- Re: [http-auth] [kitten] [saag] HTTP authenticati… Alexey Melnikov
- Re: [http-auth] [kitten] [saag] HTTP authenticati… Alexey Melnikov
- Re: [http-auth] [kitten] [saag] HTTP authenticati… Roy T. Fielding
- Re: [http-auth] [kitten] [saag] HTTP authenticati… Josh Howlett
- Re: [http-auth] [kitten] [saag] HTTP authenticati… Josh Howlett
- Re: [http-auth] [apps-discuss] [kitten] [saag] HT… Eliot Lear
- Re: [http-auth] [kitten] [saag] HTTP authenticati… Yaron Sheffer
- Re: [http-auth] [kitten] [saag] HTTP authenticati… Yoav Nir
- Re: [http-auth] HTTP authentication: the next gen… Peter Saint-Andre
- Re: [http-auth] [websec] [kitten] [saag] HTTP aut… Marsh Ray
- Re: [http-auth] HTTP authentication: the next gen… Peter Saint-Andre
- Re: [http-auth] [websec] HTTP authentication: the… Nicolas Williams
- Re: [http-auth] HTTP authentication: the next gen… Marsh Ray
- Re: [http-auth] HTTP authentication: the next gen… Alexey Melnikov
- Re: [http-auth] [websec] [kitten] [saag] HTTP aut… Yoav Nir
- Re: [http-auth] [apps-discuss] [kitten] [saag] HT… Eliot Lear
- Re: [http-auth] [kitten] [apps-discuss] [saag] HT… Carsten Bormann
- Re: [http-auth] [websec] [kitten] [apps-discuss] … Yoav Nir
- Re: [http-auth] [apps-discuss] [kitten] [saag] HT… Eliot Lear
- Re: [http-auth] [kitten] [apps-discuss] [saag] HT… Adrien de Croy
- Re: [http-auth] [saag] [apps-discuss] [kitten] HT… Alan DeKok
- Re: [http-auth] [websec] [saag] HTTP authenticati… Ben Laurie
- Re: [http-auth] [kitten] [apps-discuss] [saag] HT… Dave Cridland
- Re: [http-auth] [kitten] [apps-discuss] [saag] HT… Dave Cridland
- Re: [http-auth] [apps-discuss] [kitten] [saag] HT… Dave Raggett
- Re: [http-auth] [saag] [websec] [kitten] HTTP aut… Rene Struik
- Re: [http-auth] [saag] [websec] [kitten] HTTP aut… Rene Struik
- Re: [http-auth] [apps-discuss] [kitten] [saag] HT… Dave Cridland
- Re: [http-auth] [saag] [websec] [kitten] HTTP aut… Yoav Nir
- Re: [http-auth] [saag] [websec] [kitten] [apps-di… Yaron Sheffer
- Re: [http-auth] [websec] HTTP authentication: the… Julian Reschke
- Re: [http-auth] [saag] [websec] [kitten] HTTP aut… Stephen Farrell
- Re: [http-auth] [apps-discuss] [kitten] [saag] HT… Tim Morgan
- Re: [http-auth] [saag] [websec] [kitten] [apps-di… Yoav Nir
- Re: [http-auth] [saag] [websec] [kitten] [apps-di… Steven Bellovin
- Re: [http-auth] [websec] [saag] [kitten] [apps-di… Marsh Ray
- Re: [http-auth] [saag] [websec] [kitten] HTTP aut… Richard L. Barnes
- Re: [http-auth] [websec] [saag] [kitten] [apps-di… Henry B. Hotz
- Re: [http-auth] [websec] [saag] HTTP authenticati… Henry B. Hotz
- Re: [http-auth] [kitten] [saag] HTTP authenticati… Nicolas Williams
- Re: [http-auth] [kitten] [saag] HTTP authenticati… Nicolas Williams
- Re: [http-auth] [websec] [kitten] [saag] HTTP aut… Yutaka OIWA
- Re: [http-auth] [websec] [saag] HTTP authenticati… Peter Saint-Andre
- Re: [http-auth] [websec] HTTP authentication: the… Tim Morgan
- Re: [http-auth] [websec] HTTP authentication: the… Nicolas Williams
- Re: [http-auth] [websec] HTTP authentication: the… Tim Morgan
- Re: [http-auth] [websec] HTTP authentication: the… Nicolas Williams
- Re: [http-auth] [websec] HTTP authentication: the… Henry B. Hotz
- Re: [http-auth] [websec] HTTP authentication: the… Nicolas Williams
- Re: [http-auth] [apps-discuss] [saag] [websec] [k… John C Klensin
- Re: [http-auth] [websec] HTTP authentication: the… Tim
- Re: [http-auth] [websec] HTTP authentication: the… Nicolas Williams
- Re: [http-auth] [websec] HTTP authentication: the… Henry B. Hotz
- Re: [http-auth] [websec] HTTP authentication: the… Tim
- Re: [http-auth] [websec] [saag] HTTP authenticati… Henry B. Hotz
- Re: [http-auth] [websec] HTTP authentication: the… Tim
- Re: [http-auth] [websec] HTTP authentication: the… Nicolas Williams
- Re: [http-auth] [websec] HTTP authentication: the… Nicolas Williams
- Re: [http-auth] [websec] HTTP authentication: the… Tim
- Re: [http-auth] [websec] HTTP authentication: the… Nicolas Williams
- Re: [http-auth] [websec] HTTP authentication: the… Marsh Ray
- Re: [http-auth] [websec] HTTP authentication: the… Tim
- Re: [http-auth] HTTP authentication: the next gen… Peter Saint-Andre
- Re: [http-auth] [websec] HTTP authentication: the… Tim
- Re: [http-auth] [websec] HTTP authentication: the… Nicolas Williams
- Re: [http-auth] [websec] HTTP authentication: the… Tim
- Re: [http-auth] [websec] HTTP authentication: the… Nicolas Williams
- Re: [http-auth] [websec] HTTP authentication: the… Tim
- Re: [http-auth] [websec] HTTP authentication: the… Henry B. Hotz
- Re: [http-auth] [websec] HTTP authentication: the… Nicolas Williams
- Re: [http-auth] [websec] HTTP authentication: the… Tim
- Re: [http-auth] [websec] HTTP authentication: the… Tim
- Re: [http-auth] [websec] HTTP authentication: the… Nicolas Williams
- Re: [http-auth] [websec] HTTP authentication: the… Henry B. Hotz
- Re: [http-auth] [websec] HTTP authentication: the… Tim
- Re: [http-auth] [websec] HTTP authentication: the… Henry B. Hotz
- Re: [http-auth] [websec] HTTP authentication: the… Martin J. Dürst
- Re: [http-auth] [websec] HTTP authentication: the… Tim
- Re: [http-auth] [saag] [websec] [kitten] [apps-di… der Mouse
- Re: [http-auth] [saag] [websec] [kitten] [apps-di… Marsh Ray
- Re: [http-auth] [saag] [websec] [kitten] [apps-di… Peter Saint-Andre
- Re: [http-auth] [saag] [websec] [kitten] [apps-di… der Mouse
- Re: [http-auth] [saag] [websec] [kitten] [apps-di… Tim
- Re: [http-auth] [saag] [apps-discuss] [kitten] HT… Joel Jaeggli
- Re: [http-auth] [saag] [apps-discuss] [websec] [k… John C Klensin
- Re: [http-auth] [websec] [apps-discuss] [kitten] … Adrien de Croy
- Re: [http-auth] [websec] [apps-discuss] [kitten] … Phillip Hallam-Baker
- Re: [http-auth] [websec] [apps-discuss] [kitten] … Nathan
- Re: [http-auth] [saag] [websec] [apps-discuss] [k… Ben Laurie
- Re: [http-auth] [websec] [saag] [apps-discuss] [k… Marsh Ray
- Re: [http-auth] [saag] [websec] [apps-discuss] [k… Adrien de Croy
- Re: [http-auth] [saag] [websec] [apps-discuss] [k… Josh Howlett
- Re: [http-auth] [saag] [websec] [apps-discuss] [k… Ben Laurie
- Re: [http-auth] [saag] [websec] [apps-discuss] [k… Jeffrey Hutzelman
- Re: [http-auth] HTTP authentication: the next gen… Henry B. Hotz
- Re: [http-auth] [saag] [websec] [apps-discuss] [k… Phillip Hallam-Baker
- Re: [http-auth] [saag] [websec] [apps-discuss] [k… Phillip Hallam-Baker
- Re: [http-auth] [websec] [kitten] [saag] HTTP aut… Ben Laurie
- Re: [http-auth] [websec] [kitten] [saag] HTTP aut… Tim
- Re: [http-auth] [saag] [websec] [apps-discuss] [k… der Mouse
- Re: [http-auth] [saag] [websec] [kitten] HTTP aut… Ben Laurie
- Re: [http-auth] [websec] [saag] [apps-discuss] [k… Marsh Ray
- [http-auth] HTTP authentication: the next generat… travis+ml-http-auth
- Re: [http-auth] HTTP authentication: the next gen… travis+ml-http-auth
- Re: [http-auth] [saag] [websec] [kitten] HTTP aut… Yaron Sheffer
- Re: [http-auth] [saag] [websec] [kitten] HTTP aut… Ben Laurie
- Re: [http-auth] [websec] HTTP authentication: the… Tim
- Re: [http-auth] [websec] HTTP authentication: the… Yaron Sheffer
- Re: [http-auth] [websec] HTTP authentication: the… Simon Josefsson
- Re: [http-auth] [websec] HTTP authentication: the… Yaron Sheffer
- Re: [http-auth] [websec] HTTP authentication: the… Simon Josefsson
- Re: [http-auth] [websec] HTTP authentication: the… Tim
- Re: [http-auth] [websec] HTTP authentication: the… Peter Saint-Andre
- Re: [http-auth] [websec] HTTP authentication: the… Marsh Ray
- Re: [http-auth] [saag] [websec] [kitten] HTTP aut… Phillip Hallam-Baker
- Re: [http-auth] [saag] [websec] [kitten] HTTP aut… Phillip Hallam-Baker
- Re: [http-auth] [apps-discuss] [saag] [websec] [k… Phillip Hallam-Baker
- Re: [http-auth] [websec] [kitten] [saag] HTTP aut… David Morris
- Re: [http-auth] [saag] [websec] [kitten] HTTP aut… Marsh Ray
- Re: [http-auth] [apps-discuss] [saag] [websec] [k… Blaine Cook
- Re: [http-auth] [kitten] [saag] HTTP authenticati… Robert Sayre
- Re: [http-auth] [websec] HTTP authentication: the… Simon Josefsson
- Re: [http-auth] [apps-discuss] [saag] [websec] [k… Zed A. Shaw
- Re: [http-auth] [apps-discuss] [saag] [websec] [k… Blaine Cook
- Re: [http-auth] [apps-discuss] [saag] [websec] [k… Ben Laurie
- Re: [http-auth] [apps-discuss] [saag] [websec] [k… Blaine Cook
- Re: [http-auth] [apps-discuss] [saag] [websec] [k… John C Klensin
- Re: [http-auth] [apps-discuss] [saag] [websec] [k… Zed A. Shaw
- Re: [http-auth] [apps-discuss] [saag] [websec] [k… Ben Laurie
- Re: [http-auth] HTTP authentication: the next gen… Peter Saint-Andre
- Re: [http-auth] [apps-discuss] [saag] [websec] [k… Zed A. Shaw
- Re: [http-auth] HTTP authentication: the next gen… Zed A. Shaw
- Re: [http-auth] [websec] [apps-discuss] [saag] [k… Phillip Hallam-Baker
- Re: [http-auth] [websec] [apps-discuss] [saag] [k… Marsh Ray
- Re: [http-auth] [websec] [apps-discuss] [saag] [k… Peter Saint-Andre
- Re: [http-auth] [apps-discuss] [saag] [websec] [k… Ben Laurie
- Re: [http-auth] HTTP authentication: the next gen… Peter Saint-Andre
- Re: [http-auth] [websec] [apps-discuss] [saag] [k… David Morris
- Re: [http-auth] HTTP authentication: the next gen… Dave Raggett
- Re: [http-auth] HTTP authentication: the next gen… Dave Raggett
- Re: [http-auth] HTTP authentication: the next gen… Simon Josefsson
- Re: [http-auth] [websec] [apps-discuss] [saag] [k… Steingruebl, Andy
- Re: [http-auth] [websec] [apps-discuss] [saag] [k… Ben Laurie
- Re: [http-auth] [saag] [websec] [kitten] HTTP aut… Theodore Tso
- Re: [http-auth] [saag] [websec] [apps-discuss] [k… Marsh Ray
- Re: [http-auth] [saag] [websec] [apps-discuss] [k… Marsh Ray
- Re: [http-auth] [saag] [websec] [apps-discuss] [k… Ben Laurie