Re: [http-auth] Last Call: <draft-ietf-httpauth-hoba-07.txt> (HTTP Origin-Bound Authentication (HOBA)) to Experimental RFC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2014-12-24 12:15, Stephen Farrell wrote:
...
2. The HOBA Authentication Scheme

    HOBA-TBS = len ":" nonce
               len ":" alg
               len ":" origin
               len ":" [ realm  ]
               len ":" kid
               len ":" challenge
    len = 1*DIGIT
    nonce = 1*base64urlchars
    alg = 1*2DIGIT
    origin = scheme "://" authority ":" port
    realm = unreserved
    kid = 1*base64urlchars
    challenge = 1*base64urlchars
    ; Characters for Base64URL encoding from Table 2 of RFC 4648
    base64urlchars = %x30-39             ; Digits
                     / %x41-5A           ; Uppercase letters
                     / %x61-7A           ; Lowercase letters
                     / "-" / "_" / "="   ; Special characters

                    Figure 1: To-be-signed data for HOBA

...specify a proper ABNF production for "unreserved".

What? I don't know what you mean there. I added a pointer to
2.2 of RFC 7235 though, is that enough?

What's the ABNF for "unreserved"?

    ...

    The registration message for HOBA-http is sent as a POST message to
    the URL ".well-known/hoba/register" with an HTML form (x-www-form-
    encoded) described below; The registration message for HOBA-js can be

Need citation for payload format.

To RFC 1867? Added that (though it's been obsoleted). Happy to
replace with a better ref so long as that better ref is not a
work-in-progress:-)

<http://www.w3.org/TR/2014/REC-html5-20141028/forms.html#url-encoded-form-data> I assume.

...
    when the registration has succeded to indicate the new state.  The
    header to be used is "Hobareg" and the value when registration has
    succeeded is to be "regok".  When registration is inwork (e.g. on an
    HTTP response for an interstitial page) the server MAY add this
    header with a value of "reginwork".  See Section 9.6 for the relevant
    IANA registration of this header field.

Could this use the Authentication-Info header field currently defined in
DIGEST?

Maybe but would prefer to not entwine with DIGEST in that way.
Seems like all we'd get is delay and no benefit.

...that supports my p.o.v. that it should be in a separate spec :-)

...
6.3. Logging Out


    The user can tell the server it wishes to log out.  With HOBA-http,
    this is done by sending any HOBA-authenticated HTTP message to the
    URL ".well-known/hoba/logout" on the site in question.  The UA SHOULD
    also delete session cookies associated with the session so that the
    user's state is no longer "logged in."

Nope. Don't define this for GET (or any "safe" method). POST would work.

Sorry I'm not seeing why that is GET specific? I agree POST should be
fine too, but think that is allowed by the above.

GET is defined as safe, and safe is defined as:

"Request methods are considered "safe" if their defined semantics are essentially read-only; i.e., the client does not request, and does not expect, any state change on the origin server as a result of applying a safe method to a target resource. Likewise, reasonable use of a safe method is not expected to cause any harm, loss of property, or unusual burden on the origin server." -- <http://svn.tools.ietf.org/svn/wg/httpbis/specs/rfc7231.html#rfc.section.4.2.1.p.1>

So you can't have GET perform a logout.

...
Appendix B. Example


    The following values show an example of HOBA-http authentication to
    the origin https://example.com:443 Carriage-returns have been added

s/443/443./

Sure, though not sure what RFC editor prefers there (for URLs at
the end of sentences) but they can fix if needed.

In doubt, put it the URI in delimiters...

Best regards, Julian




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]