Re: [dispatch] SASL Authentication for HTTP
Ben Campbell <ben@nostrum.com> Wed, 04 March 2020 02:49 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94F383A0C55 for <dispatch@ietfa.amsl.com>; Tue, 3 Mar 2020 18:49:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.087
X-Spam-Level:
X-Spam-Status: No, score=0.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, KHOP_HELO_FCRDNS=0.276, MAY_BE_FORGED=1.49, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e5c1HrXS3lBG for <dispatch@ietfa.amsl.com>; Tue, 3 Mar 2020 18:49:38 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D63063A0C50 for <dispatch@ietf.org>; Tue, 3 Mar 2020 18:49:38 -0800 (PST)
Received: from [192.168.127.239] (mta-70-120-123-175.stx.rr.com [70.120.123.175] (may be forged)) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id 0242nYaY088127 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 3 Mar 2020 20:49:35 -0600 (CST) (envelope-from ben@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1583290176; bh=HhlsFySZqs1FAG8ajd9LLxZMYG5sQeB68HkHHD52Zdc=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=jzOB5Ty/G/t+ylWIFyA9GSNJXbbvQKekIoV1fr6KSxDrCtqKDeoRJgPSft7ETxuL3 wcv7VKSyAcWOksjOZJHh7H7wvwulmCn4FIsMBOCkUFWuXEcuCNoPTG9ZK3oBl+sGlH SAIu+WOHCljsOI33hRdZ+jTf7KnncHt8RUC/Z5+U=
X-Authentication-Warning: raven.nostrum.com: Host mta-70-120-123-175.stx.rr.com [70.120.123.175] (may be forged) claimed to be [192.168.127.239]
From: Ben Campbell <ben@nostrum.com>
Message-Id: <465193FE-E96E-4071-992C-6979BF97B9A5@nostrum.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_493B0A73-BC60-4138-A1D8-C3E591DFCC73"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
Date: Tue, 03 Mar 2020 20:49:28 -0600
In-Reply-To: <BC526603-5F87-48B5-B67A-AA41B307916F@mnot.net>
Cc: DISPATCH WG <dispatch@ietf.org>, Tommy Pauly <tpauly@apple.com>
To: Mark Nottingham <mnot@mnot.net>
References: <5E54D66F.5070902@openfortress.nl> <B275B223-6985-4D4D-9A24-0A1E1B2D1E36@nostrum.com> <BC526603-5F87-48B5-B67A-AA41B307916F@mnot.net>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/BdATbTPC4HKbua7paNzAP4PEt4Q>
Subject: Re: [dispatch] SASL Authentication for HTTP
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 02:49:49 -0000
Thanks Mark! By “short presentation”, were you thinking in terms of doing so in HTTPBIS or DISPATCH? Everyone: If you find this interesting, please comment soon. We will be figuring out agendas really soon now, and Mark is correct that we need to prioritize meeting time for things that have had list discussion. Thanks! Ben. > On Mar 3, 2020, at 7:24 PM, Mark Nottingham <mnot@mnot.net> wrote: > > Hi Ben, > > I think it belongs in HTTPbis, given that it's a HTTP extension - unless someone is arguing that it deserves a separate WG. Given the potential pitfalls in terms of integration (especially if things are stateful), we need careful review by HTTP folks to make sure it doesn't break anything. > > However, we generally only adopt things when we have signs of interest from implementers; so far we haven't seen that. So it'd be good to see some more on-list discussion - in particular, it'd also be good to understand what adding SASL to the mix of already existent HTTP authentication mechanisms brings. > > A short presentation or discussion at IETF107 might also help; I'm a little wary of giving a time slot to a presentation with so little on-list discussion, but if that makes things easier for DISPATCH, we can manage that (provided IETF107 happens, of course). > > Cheers, > > >> On 4 Mar 2020, at 7:03 am, Ben Campbell <ben@nostrum.com> wrote: >> >> Hi, >> >> Does anyone in DISPATCH (esp. our HTTP experts) have thoughts on Rick’s draft? >> >> I see that it had a small amount of discussion in HTTPBIS back in January. Is this something that should be discussed in DISPATCH or does it clearly belong to HTTPBIS? (I’ve copied the HTTPBIS chairs) >> >> Thanks! >> >> Ben. >> >>> On Feb 25, 2020, at 2:10 AM, Rick van Rein <rick@openfortress.nl> wrote: >>> >>> Hello, >>> >>> This draft proposes to introduce SASL as an authentication mechanism >>> into HTTP. Adding such mechanisms requires IETF Review according to RFC >>> 7235. >>> >>> I don't know where to turn, and this has long stopped this proposal from >>> progressing. It has now been proposed to go through DISPATCH, as this >>> is more related to the binding with protocol headers than to SASL, which >>> itself is quite clear on requirements to its carrier. >>> >>> I have been made aware that SASL in HTTP has been tried before; the >>> reasons why that didn't finish 15 years ago are resolved in this draft: >>> >>> Scalability: >>> >>> - stateless server side (server state relays through the client) >>> - sequential messages distributed over connections is no problem >>> >>> Security: >>> >>> - no fixation on DIGEST-MD5 (compatibility pulls down security) >>> - support for channel binding without fixating protocol layering >>> >>> >>> Benjamin Kaduk noted my search for IETF mechanisms and responded with: >>> >>>> That said, I'm happy to see work in this space and would be willing to >>>> AD-sponsor it upon a recommendation of either DISPATCH group, if that is >>>> the recommendation. >>> >>> >>> The authors of the prior HTTP SASL proposal also welcome this work being >>> done. >>> >>> >>> What are your recommendations towards this work? >>> >>> >>> Thanks, >>> -Rick >>> >>> >>> --------- >>> >>> >>> A new version of I-D, draft-vanrein-httpauth-sasl-03.txt >>> has been successfully submitted by Rick van Rein and posted to the >>> IETF repository. >>> >>> Name: draft-vanrein-httpauth-sasl >>> Revision: 03 >>> Title: HTTP Authentication with SASL >>> Document date: 2020-01-20 >>> Group: Individual Submission >>> Pages: 12 >>> URL: >>> https://www.ietf.org/internet-drafts/draft-vanrein-httpauth-sasl-03.txt >>> Status: >>> https://datatracker.ietf.org/doc/draft-vanrein-httpauth-sasl/ >>> Htmlized: https://tools.ietf.org/html/draft-vanrein-httpauth-sasl-03 >>> Htmlized: >>> https://datatracker.ietf.org/doc/html/draft-vanrein-httpauth-sasl >>> Diff: >>> https://www.ietf.org/rfcdiff?url2=draft-vanrein-httpauth-sasl-03 >>> >>> Abstract: >>> Most application-level protocols standardise their authentication >>> exchanges under the SASL framework. HTTP has taken another course, >>> and often ends up replicating the work to allow individual >>> mechanisms. This specification adopts full SASL authentication into >>> HTTP. >>> >>> _______________________________________________ >>> dispatch mailing list >>> dispatch@ietf.org >>> https://www.ietf.org/mailman/listinfo/dispatch >> > > -- > Mark Nottingham https://www.mnot.net/ > > _______________________________________________ > dispatch mailing list > dispatch@ietf.org > https://www.ietf.org/mailman/listinfo/dispatch
- [dispatch] SASL Authentication for HTTP Rick van Rein
- Re: [dispatch] SASL Authentication for HTTP Ben Campbell
- Re: [dispatch] SASL Authentication for HTTP Mark Nottingham
- Re: [dispatch] SASL Authentication for HTTP Ben Campbell
- Re: [dispatch] SASL Authentication for HTTP Mark Nottingham
- Re: [dispatch] SASL Authentication for HTTP Rick van Rein
- Re: [dispatch] SASL Authentication for HTTP Alexey Melnikov
- Re: [dispatch] SASL Authentication for HTTP Rick van Rein