Re: [dispatch] SASL Authentication for HTTP
Alexey Melnikov <aamelnikov@fastmail.fm> Wed, 04 March 2020 14:25 UTC
Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 381A43A0FD8 for <dispatch@ietfa.amsl.com>; Wed, 4 Mar 2020 06:25:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=ZO8q9Dq+; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=riIwF/4u
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4MLrVyOuqTcN for <dispatch@ietfa.amsl.com>; Wed, 4 Mar 2020 06:25:38 -0800 (PST)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AB523A0FD7 for <dispatch@ietf.org>; Wed, 4 Mar 2020 06:25:38 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 9DD4353A; Wed, 4 Mar 2020 09:25:36 -0500 (EST)
Received: from imap21 ([10.202.2.71]) by compute3.internal (MEProxy); Wed, 04 Mar 2020 09:25:36 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type:content-transfer-encoding; s=fm2; bh=48N+c OJv3rA5QfG7BgVuwiqV6JpSBK1Dy1iu4YdoIG8=; b=ZO8q9Dq+2gE7Way1ST9Hz fM6OjRFTt6O9zgl+cfkq5pIXy8j8Zo3z7K/I4XpFQvnfCLJBEhn5gotzHWlpK6Bz YxFbiWmqrpkmje51QqDSODF1V7kkwKD3twfyWjvBCDVrqkB5f/rQi1o8afbXun0G omervkMRb2SAjg9ypmcBhVVum5unmOfZDbMEjrBvyaHzGeSnsThXgH2MpMTzdvR2 fJQpRH4FqglhDeJ6Qy9vfILa37s7lMHVVprvpkLHBdtiNlEbuN2cCGyhgoNeQy/I LtsXyd2QWJf56S9evBpVyVdUg9mfGCbQXEh4I8yJpRgh2JjcjLR2DUmnj20pLWqQ A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=48N+cOJv3rA5QfG7BgVuwiqV6JpSBK1Dy1iu4YdoI G8=; b=riIwF/4uJMuiqWbwuKSdrNYzJyiilugUTPunfg/lPwiBqHEDSiAMHptY+ QSzztkXczK25lXLJ+eSeoFfgcXpHXGKTWaCtWTk1RlZSrGvvmTXkFeklrjFrstwG T+C5F/b+SKqnlWLaTx/jJAqGsYWiYalO4AitlMVTDo0SEeF5yGuSpht5jsUaD28V ygF4fgrvgo56AxjV5570HyIJzxo6Cb2LAiyspCAm/VTQBxAMryaus7eDv/Hyuhon Qkqr/aI325TetkChZO/kNffWgrEyXfQdcrOCCShPWBf2EKc54wjmqPk0h3/A2RQm MpMxXwQAHJZgcPri+IsVfAJus00MA==
X-ME-Sender: <xms:X7pfXvrVdR8ZYiuQVHMrO6wWpcx-hduMQr4BxFHcynNB0CW_iDHaOA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedruddtkedgieehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedftehl vgigvgihucfovghlnhhikhhovhdfuceorggrmhgvlhhnihhkohhvsehfrghsthhmrghilh drfhhmqeenucffohhmrghinhephhhtthhprghlfigrhihshhgrshhtohgsvghsphgvtghi rghlsggvtggruhhsvghithguohgvshhnthhhrghvvghsrghslhhsuhhpphhorhhtrdihoh hupdhirghnrgdrohhrghdphhhtthhpsghishgsrggtkhhinhhjrghnuhgrrhihrdhishdp ihgvthhfrdhorhhgpdguihhsphgrthgthhhmrghilhhinhhglhhishhtughishhprghttg hhihgvthhfrdhorhhgpdhmnhhothdrnhgvthenucevlhhushhtvghrufhiiigvpedtnecu rfgrrhgrmhepmhgrihhlfhhrohhmpegrrghmvghlnhhikhhovhesfhgrshhtmhgrihhlrd hfmh
X-ME-Proxy: <xmx:X7pfXlBOa2pArueZnS7TKA2NtOfk3zMs4TpC5UNBkkVcNRhyhN7TzA> <xmx:X7pfXqG84aGPxes3l7iYhusqoBIAsAzzpu0tRHsL7xYp9nDuRo-SYQ> <xmx:X7pfXuB_HuaQ9mR_TbkIE0_gVpGQHupZbs5IzZii0mKWjPGi_dTb3w> <xmx:YLpfXkCsakdjyt87ZLx-OeYtH_3sZCld4vgyjO461gZHxqrIiJxgeg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 9D57E660060; Wed, 4 Mar 2020 09:25:35 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-986-gfc2d493-fmstable-20200304v3
Mime-Version: 1.0
Message-Id: <4d2b8267-1773-429f-8178-8c857f99f3f3@www.fastmail.com>
In-Reply-To: <BC526603-5F87-48B5-B67A-AA41B307916F@mnot.net>
References: <5E54D66F.5070902@openfortress.nl> <B275B223-6985-4D4D-9A24-0A1E1B2D1E36@nostrum.com> <BC526603-5F87-48B5-B67A-AA41B307916F@mnot.net>
Date: Wed, 04 Mar 2020 14:25:15 +0000
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: Mark Nottingham <mnot@mnot.net>, Ben Campbell <ben@nostrum.com>
Cc: DISPATCH <dispatch@ietf.org>, Tommy Pauly <tpauly@apple.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/M4SmVkxeLo4pFOCMbfDUoBdj_ok>
Subject: Re: [dispatch] SASL Authentication for HTTP
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 14:25:40 -0000
On Wed, Mar 4, 2020, at 1:24 AM, Mark Nottingham wrote: > Hi Ben, > > I think it belongs in HTTPbis, given that it's a HTTP extension - > unless someone is arguing that it deserves a separate WG. Given the > potential pitfalls in terms of integration (especially if things are > stateful), we need careful review by HTTP folks to make sure it doesn't > break anything. > > However, we generally only adopt things when we have signs of interest > from implementers; so far we haven't seen that. So it'd be good to see > some more on-list discussion - in particular, it'd also be good to > understand what adding SASL to the mix of already existent HTTP > authentication mechanisms brings. The advantage of SASL framework is that once a new SASL authentication mechanism is added, it is immediately available in IMAP, SMTP, XMPP, LDAP, POP3 and several other protocols. HTTP always has to be "special", because it doesn't have SASL support. You can see list of currently registered mechanism on IANA's website: <https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml> > A short presentation or discussion at IETF107 might also help; I'm a > little wary of giving a time slot to a presentation with so little > on-list discussion, but if that makes things easier for DISPATCH, we > can manage that (provided IETF107 happens, of course). > > Cheers, > > > > On 4 Mar 2020, at 7:03 am, Ben Campbell <ben@nostrum.com> wrote: > > > > Hi, > > > > Does anyone in DISPATCH (esp. our HTTP experts) have thoughts on Rick’s draft? > > > > I see that it had a small amount of discussion in HTTPBIS back in January. Is this something that should be discussed in DISPATCH or does it clearly belong to HTTPBIS? (I’ve copied the HTTPBIS chairs) > > > > Thanks! > > > > Ben. > > > >> On Feb 25, 2020, at 2:10 AM, Rick van Rein <rick@openfortress.nl> wrote: > >> > >> Hello, > >> > >> This draft proposes to introduce SASL as an authentication mechanism > >> into HTTP. Adding such mechanisms requires IETF Review according to RFC > >> 7235. > >> > >> I don't know where to turn, and this has long stopped this proposal from > >> progressing. It has now been proposed to go through DISPATCH, as this > >> is more related to the binding with protocol headers than to SASL, which > >> itself is quite clear on requirements to its carrier. > >> > >> I have been made aware that SASL in HTTP has been tried before; the > >> reasons why that didn't finish 15 years ago are resolved in this draft: > >> > >> Scalability: > >> > >> - stateless server side (server state relays through the client) > >> - sequential messages distributed over connections is no problem > >> > >> Security: > >> > >> - no fixation on DIGEST-MD5 (compatibility pulls down security) > >> - support for channel binding without fixating protocol layering > >> > >> > >> Benjamin Kaduk noted my search for IETF mechanisms and responded with: > >> > >>> That said, I'm happy to see work in this space and would be willing to > >>> AD-sponsor it upon a recommendation of either DISPATCH group, if that is > >>> the recommendation. > >> > >> > >> The authors of the prior HTTP SASL proposal also welcome this work being > >> done. > >> > >> > >> What are your recommendations towards this work? > >> > >> > >> Thanks, > >> -Rick > >> > >> > >> --------- > >> > >> > >> A new version of I-D, draft-vanrein-httpauth-sasl-03.txt > >> has been successfully submitted by Rick van Rein and posted to the > >> IETF repository. > >> > >> Name: draft-vanrein-httpauth-sasl > >> Revision: 03 > >> Title: HTTP Authentication with SASL > >> Document date: 2020-01-20 > >> Group: Individual Submission > >> Pages: 12 > >> URL: > >> https://www.ietf.org/internet-drafts/draft-vanrein-httpauth-sasl-03.txt > >> Status: > >> https://datatracker.ietf.org/doc/draft-vanrein-httpauth-sasl/ > >> Htmlized: https://tools.ietf.org/html/draft-vanrein-httpauth-sasl-03 > >> Htmlized: > >> https://datatracker.ietf.org/doc/html/draft-vanrein-httpauth-sasl > >> Diff: > >> https://www.ietf.org/rfcdiff?url2=draft-vanrein-httpauth-sasl-03 > >> > >> Abstract: > >> Most application-level protocols standardise their authentication > >> exchanges under the SASL framework. HTTP has taken another course, > >> and often ends up replicating the work to allow individual > >> mechanisms. This specification adopts full SASL authentication into > >> HTTP. > >> > >> _______________________________________________ > >> dispatch mailing list > >> dispatch@ietf.org > >> https://www.ietf.org/mailman/listinfo/dispatch > > > > -- > Mark Nottingham https://www.mnot.net/ > > _______________________________________________ > dispatch mailing list > dispatch@ietf.org > https://www.ietf.org/mailman/listinfo/dispatch >
- [dispatch] SASL Authentication for HTTP Rick van Rein
- Re: [dispatch] SASL Authentication for HTTP Ben Campbell
- Re: [dispatch] SASL Authentication for HTTP Mark Nottingham
- Re: [dispatch] SASL Authentication for HTTP Ben Campbell
- Re: [dispatch] SASL Authentication for HTTP Mark Nottingham
- Re: [dispatch] SASL Authentication for HTTP Rick van Rein
- Re: [dispatch] SASL Authentication for HTTP Alexey Melnikov
- Re: [dispatch] SASL Authentication for HTTP Rick van Rein