HTTP-AUTH Working Group Meeting
IETF 92 (Dallas)
Thursday, March 26, 2015. 17:40-18:40
======================================

Chairs:
Yoav Nir (ynir@checkpoint.com)
Matt Lepinski (mlepinski.ietf@gmail.com)

Chair Slides available at: https://www.ietf.org/proceedings/92/slides/slides-92-httpauth-0.pdf

-- HOBA has been published as RFC 7486!
-- Basic update is in the RFC Editor's Queue and Digest is in IETF Last Call
   One open issue in Digest: Stun-bis WG request we change calculation of A1
   (see detailed notes below, more discussion on the list after the meeting)
-- Mutual Auth is the primary discussion item at this meeting
   (see detailed notes below for status of open issues in document)
-- Rest-Auth currently has no active editor. 
   If you would like to take over the document, please post on the list or contact the chairs


===========
Raw Notes
===========

**** Digest : Rifaat 
No Slides

- The Stun-bis working group would like to use Digest
  But they would like us to update how we calculate A1
  They want us to add a salt
 
  Yoav [Not as chair]: This seems like not a very good authentication mechanism. Why is a new group using Digest

  Oiwa: Is salt shared by all users on the same server? 
        Answer: No
        Doesn't the server need the username before it can return a per-user salt?
           How does this work?
    Stun-bis author: This is a salt for all users, not per user

  
  Most people don't care. The 4-ish people who do care, don't want to delay the draft

  Mike Jones: Is this change backward compatible? 
      Answer: Not clear
  Mike Jones: Do this only if it can be done in a backward compatible  


  Ben: Concerned about working group energy
  Oiwa: This doesn't really improve security very much 
  Yaron: Could you please make it clear on the list what is the threat model that this change would solve?


***** Mutual Auth: Oiwa
Slides: http://www.ietf.org/proceedings/92/slides/slides-92-httpauth-1.pdf

  P1:
  Ben: This is always going to be an issue if we have to have a parser to handle both forms, but that seems to be the way we are going, so be it

  P2:
  Alexey: I agree, what the authors propose is sensible (we don't want to propogate any additional character sets at this point)
  Yaron: What about passwords? Are those precis profile?
  Answer: Password is never sent in this protocol on the wire, but precis profile is used for preparing for hash

  P6:
  Yoav (not as chair): In HTTP/2 there could be a lot more than 32 streams. Is 32 active nounces enough?
  Oiwa: We may need to raise the minimum number of active nounces
  No clear resolution, this likely needs more discussion  

  P13:
  Yaron: I think Expert review should be sufficient
  Ben: Independent stream is acceptable for RFC-required
  Alexey: I am in favor of expert review
  Kathleen (AD): Draft is experimental, specification required should be enough?  
            Is there a reason for a higher bar?
  Oiwa: We want some kind of security review
  Kathleen: Then expert review should be reasonable
  Mike Jones: Specification required with expert review has worked well for Jose
  
  P15: 
  Yoav: As a firewall vender, don't put a WWW-Authenticate into a 200
        Some middlebox will do a sanity check that will break
  
  P16:
  Yoav: Anything under 1/2 a K is no concern (based on looking at packet captures and talking to caching venders)

  P18:
  Matt (not chair): Specification required should be fine. I don't see the need for expert review.

  General Discussion:
  Ben: The string PAKE does not appear anywhere in the mutual-auth document. This is unfortunate since clearly we envision PAKE. 
       More clarity with regards to what a particular scheme needs to provide
       I should send email to the list with more specifices
       Some of the Nonces (e.g., client nonce) seem more like a sequence number. 
       More clear if you don't use the word "nonce" (many readers think of nonce as random)

  Ben: volunteer to help with English if source for document is made available

  Yoav: Security analysis. We need external review.
        Also, there are terms that are used before they are defined

  Ben: Section 10 - Both a list of general rules and flow-chart diagram
       Which is normative?
       
  Oiwa: Prefer State machine is normative

  Alexy: you should make sure the text is clear about which is normative
        
    
***** Open Mic

  Ben: Is anyone other than me at all interested in Rest-Auth?

  Yoav: Nico has dropped off. If someone wants to take it over that is fine, but it currently lacks an author/editor