HTTP-AUTH Working Group Meeting IETF 86 (Orlando) Tuesday, March 12. 17:00 - 18:30 ====================================== Chairs: Yoav Nir (ynir@checkpoint.com) Matt Lepinski (mlepinski.ietf@gmail.com) Chair Slides available at: http://www.ietf.org/proceedings/86/slides/slides-86-httpauth-0.pdf -- Chair Proposal for approving experimental documents (see slides) A hum was held on this proposal. The hum indicated significant support for the proposal No one hummed against the proposal -- Brief discussion of update to Basic Authentication Julian Reschke indicated he might be willing to edit the update to Basic -- Brief discussion of update to Digest Authentication phillip hallam baker indicated he might be willing to edit the update to Digest -- Paul Hoffman gave a brief description of the experimental document: http://tools.ietf.org/html/draft-farrell-httpbis-hoba-02 -- Alexey Melnikov gave a brief description of the experimental document: http://tools.ietf.org/html/draft-melnikov-httpbis-scram-auth-00 -- Gabriel Montenegro gave a brief description of the experimental document: http://tools.ietf.org/html/draft-montenegro-httpbis-multilegged-auth-01 -- Yutaka Oiwa gave a brief description of the experimental documents: http://tools.ietf.org/html/draft-oiwa-http-mutualauth-12 http://tools.ietf.org/html/draft-oiwa-http-auth-extension-02 -- No one was present to attend speak on the experimental document: http://tools.ietf.org/html/draft-williams-http-rest-auth-03 -- Chairs will attempt to schedule the IETF 87 HTTP-AUTH meeting closer in the week to Httpbis and Websec. ========================================== Raw Notes from the Jabber Room ========================================== (4:59:10 PM) synp has set the subject to: 1st ever HTTPAuth Working Group Meeting (4:59:13 PM) kazubu [kazubu@gmail.com/regulus85057063] entered the room. (5:01:00 PM) bortzmeyer [bortzmeyer@dns-oarc.net/Laptop] entered the room. (5:02:47 PM) Ken Murchison [kmurchison@jabber.org/a3926a1e09c1b6a2] entered the room. (5:05:43 PM) barryleiba [barryleiba@gmail.com/neptune86C1EB05] entered the room. (5:06:07 PM) PHB [hallam@gmail.com/AdiumD36A13ED] entered the room. (5:06:10 PM) bkihara.l [bkihara.l@gmail.com/F066E275] entered the room. (5:06:27 PM) hillbrad: hillbrad is scribing (5:06:31 PM) lepinski [mlepinski@gmail.com/Lepinski-A11011939] entered the room. (5:06:33 PM) wilton@jabber.isoc.org [wilton@jabber.isoc.org/My-Towel] entered the room. (5:06:34 PM) lef.jpn [lef.jpn@gmail.com/96B5446C] entered the room. (5:06:40 PM) semery [semery@jis.mit.edu/Adium] entered the room. (5:06:52 PM) sftcd [sftcd@nostrum.com/e0d2d168102800563cfeec11d2895715569600ef] entered the room. (5:07:01 PM) hillbrad: http://www.ietf.org/proceedings/86/agenda/agenda-86-httpauth (5:07:12 PM) hillbrad: http://www.ietf.org/proceedings/86/slides/slides-86-httpauth-0.pdf (5:07:14 PM) hillbrad: slide 4 (5:07:17 PM) hillbrad: agenda (5:07:39 PM) john.levine [john.levine@gmail.com/Gaim6378E5D9] entered the room. (5:08:19 PM) Linlin Zhou [linlin.zhou@pandion.im/???] entered the room. (5:08:24 PM) =JeffH [netwerkeddude@gmail.com/Psi84E95D04] entered the room. (5:08:52 PM) hillbrad: charter discussion: produce experimental rather than stds track docs here (5:09:09 PM) =JeffH: Yoav is speaking (5:09:09 PM) hillbrad: IETF not yet ready to create a stds track doc to solve the problem forever (5:09:30 PM) hillbrad: sean turner at mic (5:09:52 PM) cyrus [cyrus@daboo.name/cyrus] entered the room. (5:10:01 PM) hillbrad: Yoav Nir speaking (5:10:27 PM) hillbrad: wg also to produce bis documents for http basic and digest (5:11:03 PM) hillbrad: modernization mostly to do with i18n, new hash methods (5:11:27 PM) hillbrad: changes to tls, http are out of scope (5:11:52 PM) =JeffH: brad hill @mic (5:12:31 PM) =JeffH: in last 3yr msft has produced mod to digest that features channel binding -- will this be in scrope for thedigest-bis draft? (5:12:57 PM) =JeffH: barry: is that a compatible change? or is it incompat with the present spec (5:13:10 PM) =JeffH: bhill: thinks it is bkwards-compat (5:13:46 PM) =JeffH: sean turner sez someone should write a draft about this item in particular, and then we'll evaluate (5:14:01 PM) hillbrad: phb at mic: if stuff is out there and in use, it should be written down (5:14:16 PM) hillbrad: ... should also write down the NTLM mechanism (5:14:23 PM) Julian: NLTM: yes, please. (5:14:46 PM) hillbrad: Yoav Nir: afik, these methods are barely used (5:14:52 PM) hillbrad: PHB: code is in the browsers (5:16:12 PM) hillbrad: slide 5 (5:16:17 PM) hillbrad: Yoav Nir speaking (5:16:26 PM) hillbrad: slide 6 (5:18:43 PM) hillbrad: paul hoffman at mic (5:18:54 PM) hillbrad: does it have to be better than basic or better than digest? (5:19:15 PM) hillbrad: yoav: if we get something better than basic but same or somewhat less, need review from group (5:19:29 PM) hillbrad: stephen farrell at mic: amusing if we could invent something worse than basic (5:19:56 PM) hildjj [hildjj@gmail.com/AdiumB2272B2C] entered the room. (5:20:00 PM) hillbrad: yoav nir speaking again (5:20:07 PM) hildjj: rot13 doesn't work well for UTF-8. (5:20:17 PM) hillbrad: stephen farrell at mic: sufficient review is the tricky bit (5:20:34 PM) hillbrad: ... each of the five proposals should get at least 4 reviews - by other spec authors (5:20:39 PM) Julian: hildjj: as well as base64; that's actually the problem in Basic that needs to be solved (5:21:25 PM) hillbrad: sean turner at mic: these are experimental (5:22:44 PM) hillbrad: yutaka oiwa at mic (5:23:02 PM) hillbrad: .... can you clarify what is meant by "could be deployed"? (5:23:12 PM) hillbrad: ... working implementation counts? (5:23:28 PM) hillbrad: yoav nir : implementation is good, testimony from major websites better (5:23:52 PM) hildjj: Julian: nod (5:23:59 PM) hillbrad: sean turner at mic asks for a hum (5:24:23 PM) hillbrad: no hums for "can't live with this proposal" (5:24:35 PM) hillbrad: slide 7 (5:24:44 PM) Julian: Something for the MIC regarding I18N of Basic: The problem with fixing Basic is that it's not trivial; I recommend reading . The proposed solution is backwards compatible; the hard part isn't writing it down but getting it deployed. I looked into implementing it in Firefox; the main hurdle here is that it doesn't have an actual *parser* for WWW-Authenticate; thus this needs to be fixed first. The draft itself *extends* the "Basic" parts of 2617; it doesn't replace them. (5:26:09 PM) Gabriel Montenegro [g.e.montenegro@pandion.im/Pandion] entered the room. (5:26:14 PM) =JeffH: bradhill @mic: on digest update: a big prob with digest is req to keep plaintext pswd on serverside, so would making a prep to the pswd be in-scope? (5:26:40 PM) hillbrad: joe hildebrand: once we open i18n, do we have to open sasl prep? (5:26:44 PM) =JeffH: yoav: well would it still be digest then? would hatve to look at it (5:26:45 PM) hillbrad: paul hoffman: no, don't have to (5:27:31 PM) hildjj: julian: is there someone relaying to the mic? i'll do it if not. (5:27:31 PM) Linlin Zhou left the room. (5:27:53 PM) hillbrad: yutaka oiwa at mic: preparation does not solve the problem, because the issue is that a pre-hashed password is still a password equiv (5:27:54 PM) Linlin Zhou [linlin.zhou@pandion.im/???] entered the room. (5:28:01 PM) m&m [linuxwolf@outer-planes.net/excelsior] entered the room. (5:28:04 PM) Julian: hildjj: that would be appreciated (once we get to Basic) (5:28:18 PM) Sean Turner [sean.turner@jabber.psg.com/thunderfish] entered the room. (5:28:24 PM) hillbrad: phb at mic: this was invented when DH was under patent, I chose brute force attack vs. bearer token (5:28:33 PM) hillbrad: ... pointless waste of time to change just algorithm (5:28:44 PM) hillbrad: stephen farrell at mic: anything that obsoletes digest is the new digest (5:29:03 PM) hillbrad: ... whatever proposals become an RFC is what it is (5:29:10 PM) hillbrad: yoav nir: isn't that going around the charter? (5:30:09 PM) hillbrad: ... would it be possible to get anything asym in here and still call it digest? (5:30:22 PM) hillbrad: phb at mic: technically you can solve that problem, rathole here is IPR (5:30:31 PM) hillbrad: yoav: EKE is expired (5:30:32 PM) Julian: hildjj: continuing: whatever we do with Basic and Digest, it's pointless unless we have concrete plans how to get the browsers updated; you may want to ask for browser implementers in the room (5:31:17 PM) hillbrad: paul hoffman at mic: stephen's idea is correct, bits on the wire are the new standard (5:31:36 PM) yaron.sheffer [yaron.sheffer@gmail.com/F8AE5DF0] entered the room. (5:31:58 PM) hillbrad: ... minimal is a reasonable way to go, or if an experiemental is minimal++, pick that (5:32:10 PM) hillbrad: stephen farrell: basic changes have to be minimal, not sure that's true for digest (5:32:41 PM) hillbrad: joe hildebrand channeling j resche above... (5:33:07 PM) PHB: The expirty of EKE might mean that it is the only possible fix for DIGEST that is not encumbered. (5:33:28 PM) ***Julian thanks Joe (5:33:28 PM) hillbrad: very akward slience when asked if any browser folks are in the room (5:33:38 PM) ***Julian sees Gabriel (5:33:38 PM) Linlin Zhou left the room. (5:33:51 PM) Linlin Zhou [linlin.zhou@pandion.im/???] entered the room. (5:34:06 PM) hillbrad: sean turner at mic: need to work on scheduling same days as httpbis (5:34:43 PM) hillbrad: rob trace: work at MSFT, problem is not updating browser, problem is getting updated browser to users (5:35:04 PM) sftcd: looking for volunteers to edit basic ? (5:35:06 PM) hillbrad: yoav: looking for editors (5:35:21 PM) hillbrad: paul hoffman: julian reschke has already done much work on this (5:35:22 PM) hildjj: Julian, want me to raise your hand? (5:35:30 PM) Julian: MIC: again, the problem isn't writing the document, but finding a solution (5:36:00 PM) Sean Turner: thanks for volunteering! :) (5:36:05 PM) hillbrad: joe hildebrand: sounds like he's volunteering? (5:36:18 PM) Sean Turner: phb too ... (5:36:30 PM) Julian: MIC: I think we should publish basic-auth-enc as experimental and try to get it implemented (5:37:21 PM) hillbrad: yoav: could make it experimental but that would miss the point (5:38:10 PM) hillbrad: moving to discussion of experimental drafts (5:38:14 PM) hillbrad: paul hoffman at mic (5:38:40 PM) hillbrad: .... ours is not typical, doesn't deal with passwords, how do to auth with asymmetric keys in http, javascript, things that are important for other's docs (5:38:45 PM) hillbrad: ... lost password, lost machine, etc. (5:38:53 PM) hillbrad: ... but no passwords (5:39:09 PM) hillbrad: this is HOBA (5:41:00 PM) hillbrad: If there are any other experimental drafts to be considered, now is the time to submit them. (5:41:17 PM) hillbrad: Alexey Melnikov at mic: (5:41:36 PM) hillbrad: ... SCRAM was designed for SASL framework, used by app protocols: email, im, etc. (5:41:46 PM) hillbrad: ... password based, properties similar to digest but better in some respects (5:41:53 PM) hillbrad: ... easier to implement from scratch (5:42:15 PM) hillbrad: Yoav: has anyone actually implemented it? (5:42:26 PM) hillbrad: Matt Miller raises hand (5:42:46 PM) hildjj: I have also (5:43:09 PM) hildjj: it wasn't bad. much easier than digest-md5. (5:43:40 PM) hillbrad: Gabriel Montenegro: ours has two headers (5:43:48 PM) Sean Turner: have to admit I kinda of like the no slides ;) (5:43:51 PM) hillbrad: ... you authenticate, and server can send hint that no need to authenticate again (5:44:23 PM) hillbrad: ^^ correction, client sends hint to server, which decides whether to authN or not (5:44:41 PM) hillbrad: ... other is something that will help with HTTP 2.0, where no 1:1 map between tcp connection and request (5:45:23 PM) hillbrad: ... multiplexing of streams makes socket-based authn state not work, new header is blob sent by server, so continued stream by client can include same blob so the server can maintan state (5:45:44 PM) yaron.sheffer: mic: I'd like to plug for my own draft-sheffer-running-code that calls for an Implementation Status section to be included in I-Ds. IMO this makes lots of sense for this WG. (5:45:52 PM) hillbrad: Yoav: highlights a requirement - any experiment should work with both HTTP 2.0 and 1.1 (5:47:03 PM) hillbrad: PHB at mic: wrt: Montenegro proposal (5:47:11 PM) hillbrad: ... we are doing authN here, aka presentation of credential (5:47:18 PM) hillbrad: ... in websec we are doing continuation (5:47:27 PM) m&m left the room (Disconnected: connection closed). (5:47:31 PM) m&m [linuxwolf@outer-planes.net/excelsior] entered the room. (5:48:08 PM) Andrew Biggs [balthorium@gmail.com/Adium1DD361B8] entered the room. (5:48:14 PM) hillbrad: yutaka oiwa at mic: of course we can discuss diff between session and authn, think Montenegro proposal is related to latter (5:48:43 PM) hillbrad: ... one concern, if we have to discuss outside this WG, especially his proposal w/feedback related to HTTP 2.0 from HTTPbis WG (5:48:59 PM) hillbrad: ... we should have some discussion with that group, closely tied to mechansim of HTTP 2.0 (5:50:22 PM) =JeffH: bradhill: wrt pswd prep, the issue is some sites don't maintain clear-text pswds, it would help deployablility of digest if theiy can use their existing pswd dbases (5:51:07 PM) =JeffH: yoav: yeah, [ that's the way the world works ] (5:51:52 PM) barryleiba left the room. (5:52:47 PM) m&m left the room (Disconnected: connection closed). (5:52:48 PM) hillbrad: Please participate on the threads! (5:52:53 PM) synp left the room. (5:52:55 PM) PHB left the room. (5:52:56 PM) Andrew Biggs left the room. (5:52:59 PM) john.levine left the room. (5:53:00 PM) cyrus left the room. (5:53:03 PM) yaron.sheffer left the room. (5:53:06 PM) semery left the room. (5:53:15 PM) Linlin Zhou left the room. (5:53:18 PM) Julian left the room. (5:53:24 PM) hildjj left the room. (5:53:29 PM) wilton@jabber.isoc.org left the room. (5:54:12 PM) bortzmeyer left the room.