Minutes for HTTPAUTH at IETF-92
minutes-92-httpauth-4

HTTP-AUTH Working Group Meeting
IETF 92 (Dallas)
Thursday, March 26, 2015. 17:40-18:40
======================================

Chairs:
Yoav Nir (ynir@checkpoint.com)
Matt Lepinski (mlepinski.ietf@gmail.com)

Chair Slides available at:
https://www.ietf.org/proceedings/92/slides/slides-92-httpauth-0.pdf

-- HOBA has been published as RFC 7486!
-- Basic update is in the RFC Editor's Queue and Digest is in IETF Last Call
   One open issue in Digest: Stun-bis WG request we change calculation of A1
   (see detailed notes below, more discussion on the list after the meeting)
-- Mutual Auth is the primary discussion item at this meeting
   (see detailed notes below for status of open issues in document)
-- Rest-Auth currently has no active editor.
   If you would like to take over the document, please post on the list or
   contact the chairs

===========
Raw Notes
===========

**** Digest : Rifaat
No Slides

- The Stun-bis working group would like to use Digest
  But they would like us to update how we calculate A1
  They want us to add a salt

  Yoav [Not as chair]: This seems like not a very good authentication
  mechanism. Why is a new group using Digest

  Oiwa: Is salt shared by all users on the same server?
        Answer: No
        Doesn't the server need the username before it can return a per-user
        salt?
           How does this work?
    Stun-bis author: This is a salt for all users, not per user

  Most people don't care. The 4-ish people who do care, don't want to delay the
  draft

  Mike Jones: Is this change backward compatible?
      Answer: Not clear
  Mike Jones: Do this only if it can be done in a backward compatible

  Ben: Concerned about working group energy
  Oiwa: This doesn't really improve security very much
  Yaron: Could you please make it clear on the list what is the threat model
  that this change would solve?

***** Mutual Auth: Oiwa
Slides: http://www.ietf.org/proceedings/92/slides/slides-92-httpauth-1.pdf

  P1:
  Ben: This is always going to be an issue if we have to have a parser to
  handle both forms, but that seems to be the way we are going, so be it

  P2:
  Alexey: I agree, what the authors propose is sensible (we don't want to
  propogate any additional character sets at this point) Yaron: What about
  passwords? Are those precis profile? Answer: Password is never sent in this
  protocol on the wire, but precis profile is used for preparing for hash

  P6:
  Yoav (not as chair): In HTTP/2 there could be a lot more than 32 streams. Is
  32 active nounces enough? Oiwa: We may need to raise the minimum number of
  active nounces No clear resolution, this likely needs more discussion

  P13:
  Yaron: I think Expert review should be sufficient
  Ben: Independent stream is acceptable for RFC-required
  Alexey: I am in favor of expert review
  Kathleen (AD): Draft is experimental, specification required should be enough?
            Is there a reason for a higher bar?
  Oiwa: We want some kind of security review
  Kathleen: Then expert review should be reasonable
  Mike Jones: Specification required with expert review has worked well for Jose

  P15:
  Yoav: As a firewall vender, don't put a WWW-Authenticate into a 200
        Some middlebox will do a sanity check that will break

  P16:
  Yoav: Anything under 1/2 a K is no concern (based on looking at packet
  captures and talking to caching venders)

  P18:
  Matt (not chair): Specification required should be fine. I don't see the need
  for expert review.

  General Discussion:
  Ben: The string PAKE does not appear anywhere in the mutual-auth document.
  This is unfortunate since clearly we envision PAKE.
       More clarity with regards to what a particular scheme needs to provide
       I should send email to the list with more specifices
       Some of the Nonces (e.g., client nonce) seem more like a sequence number.
       More clear if you don't use the word "nonce" (many readers think of
       nonce as random)

  Ben: volunteer to help with English if source for document is made available

  Yoav: Security analysis. We need external review.
        Also, there are terms that are used before they are defined

  Ben: Section 10 - Both a list of general rules and flow-chart diagram
       Which is normative?

  Oiwa: Prefer State machine is normative

  Alexy: you should make sure the text is clear about which is normative

***** Open Mic

  Ben: Is anyone other than me at all interested in Rest-Auth?

  Yoav: Nico has dropped off. If someone wants to take it over that is fine,
  but it currently lacks an author/editor