On Fri, Nov 8, 2013 at 9:02 PM, Michael Richardson <mcr@xxxxxxxxxxxx> wrote:
Fortunately, we have some really good mechanisms on the books that
permit delegation including OAUTH*, KeyNote(2704), SASL (I think) and
even going back to SPKI (rfc2693). I know that there are more.
Apologies for the delayed reaction to this, but:
Yes, SASL contains a theory of proxy-auth, and most mechanisms (though not all) provide provision for requesting this during authentication.
However, there are parts missing from the complete breakfast here:
1) Users have no interoperable method for allowing a delegation (or proxy auth, or whatever). I think Kerberos works by telnetting in and editing an obscure file, but I can't remember the details.
2) Users also don't have any interoperable way of changing passwords. Some mechanisms (and I'm looking at PLAIN here) require the plaintext password, others (such as SCRAM-*) could allow a not-quite-plaintext-equivalent hash, and things like SRP allow a fairly secure verifier. None of these things are perfectly secure across the wire, of course, however it's probably worth noting that the vast majority of vendors offer password changing facilities, and it'd be quite nice to ensure these were interoperable, so that users' password management could be made rather more easily available.
I'd note prior art exists at least for the second item - there's both the Eudora password changing protocol, and also XMPP's XEP-0077 has some password changing facilities too. Both, as I recall, require the password to be sent in the clear. There has, to my knowledge, been at least one exploit targetting XEP-0077 on some systems.
Dave.