Re: [dispatch] SASL Authentication for HTTP
Mark Nottingham <mnot@mnot.net> Wed, 04 March 2020 01:25 UTC
Return-Path: <mnot@mnot.net>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3801A3A0A4D for <dispatch@ietfa.amsl.com>; Tue, 3 Mar 2020 17:25:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=J4k8AXIW; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=xVlgmyOq
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EPkek5d2aIri for <dispatch@ietfa.amsl.com>; Tue, 3 Mar 2020 17:25:02 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 809BC3A0A48 for <dispatch@ietf.org>; Tue, 3 Mar 2020 17:25:02 -0800 (PST)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id D7137221FC; Tue, 3 Mar 2020 20:25:01 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Tue, 03 Mar 2020 20:25:01 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm2; bh=D ik06MGYt9fD+YYyiev7L7ogTirK0L5442Yk/RYSaTw=; b=J4k8AXIWuPcPvnWDR PLoyPqIFvuNAfjZPXQ7xs9Ios92al69ZqrpnniFM2MwPoWEmYPHvf2YEbcHU1Rcm CCEQZx0O+Jsy973je+6883orSdrMrcN5Of7rwnWitA7KHmT1DfgMbsm0KqQp93cR OkEAlWF7otx87A5i/Z9D/9dbRwmGJK3K2In0jiyQmHSb6xuWfv4Jta9UHy1EIguo Z2TFo//OSZCHpa8593c0jvRkQFl3TRmXP4XGhZJv869bz+2FHhLBtkPmmIddIpm0 q62mMA/5x0AuAaZ/yz9do6CkzPP8G1KlST8Fyg5O/dtOxyKhZsRzQKSe7DVRtJef SqrPg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=Dik06MGYt9fD+YYyiev7L7ogTirK0L5442Yk/RYSa Tw=; b=xVlgmyOq2AoiKEQFeZ4pvHske9E2kRSrubm6P/8GVBULtK+cH3P8CMBXH qCbVLAezyBLxl1Hg87PNzf1JfbPhwE0uNHVg8MdDQvfiUrAd189lg8IXla6UO29K R3KhyDzggWhkyFefQdOOLo68W9w29dZ/G8ytnDzgU6BVj6KQasV1/lGdFXL7x5jE RMjOuO7IN6ilMSFsF8a6XgBEVZgR7TGWaIJMRkMUbYSjWRBhSM2ZHV9+ZDa34oeG OLMMXxY72Tri1wMpyRd4Nm+iOtptxGjSM5hbDLWgnzVhKhVvkdjtB75+c9ZaZKFH lheY2mBbDjDKAb93RZWXofJFUO7Zw==
X-ME-Sender: <xms:bANfXtn7UxUqlcD0JVSxujP3p5pPJcvdHDoCnQK_Pj6KiE7XQelrJg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedruddtjedgfeehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffgffkfhfvofesthhqmhdthhdtjeenucfhrhhomhepofgrrhhk ucfpohhtthhinhhghhgrmhcuoehmnhhothesmhhnohhtrdhnvghtqeenucffohhmrghinh ephhhtthhpsghishgsrggtkhhinhhjrghnuhgrrhihrdhishdpihgvthhfrdhorhhgpdgu ihhsphgrthgthhhmrghilhhinhhglhhishhtughishhprghttghhihgvthhfrdhorhhgpd hmnhhothdrnhgvthenucfkphepudduledrudejrdduheekrddvhedunecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhothdrnh gvth
X-ME-Proxy: <xmx:bANfXr4yiBOPUlwVHLXVFlRNEBiJKuHFQaSQqkIbq2eDNVh9B7CLjA> <xmx:bANfXuQm2pUx-i5GPPboynEW_NJNGYQAF1XIGHbjRVhlWgl8_xJF5w> <xmx:bANfXpzeBThyvrzQhNPzT56TQAxAxeHHZrqykXx1kgRuHvpvGZ8lsA> <xmx:bQNfXlobZxi5FbZLiaLpAdh60hDBFC7Lu5bwTQ_4SHcc_Psl0Hy4qQ>
Received: from macbook-pro.mnot.net (unknown [119.17.158.251]) by mail.messagingengine.com (Postfix) with ESMTPA id 5D4013280059; Tue, 3 Mar 2020 20:24:59 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <B275B223-6985-4D4D-9A24-0A1E1B2D1E36@nostrum.com>
Date: Wed, 04 Mar 2020 12:24:56 +1100
Cc: DISPATCH WG <dispatch@ietf.org>, Tommy Pauly <tpauly@apple.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <BC526603-5F87-48B5-B67A-AA41B307916F@mnot.net>
References: <5E54D66F.5070902@openfortress.nl> <B275B223-6985-4D4D-9A24-0A1E1B2D1E36@nostrum.com>
To: Ben Campbell <ben@nostrum.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/qfTRZ4dsD5wX6amEJpoaJ3lJOK8>
Subject: Re: [dispatch] SASL Authentication for HTTP
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 01:25:06 -0000
Hi Ben, I think it belongs in HTTPbis, given that it's a HTTP extension - unless someone is arguing that it deserves a separate WG. Given the potential pitfalls in terms of integration (especially if things are stateful), we need careful review by HTTP folks to make sure it doesn't break anything. However, we generally only adopt things when we have signs of interest from implementers; so far we haven't seen that. So it'd be good to see some more on-list discussion - in particular, it'd also be good to understand what adding SASL to the mix of already existent HTTP authentication mechanisms brings. A short presentation or discussion at IETF107 might also help; I'm a little wary of giving a time slot to a presentation with so little on-list discussion, but if that makes things easier for DISPATCH, we can manage that (provided IETF107 happens, of course). Cheers, > On 4 Mar 2020, at 7:03 am, Ben Campbell <ben@nostrum.com> wrote: > > Hi, > > Does anyone in DISPATCH (esp. our HTTP experts) have thoughts on Rick’s draft? > > I see that it had a small amount of discussion in HTTPBIS back in January. Is this something that should be discussed in DISPATCH or does it clearly belong to HTTPBIS? (I’ve copied the HTTPBIS chairs) > > Thanks! > > Ben. > >> On Feb 25, 2020, at 2:10 AM, Rick van Rein <rick@openfortress.nl> wrote: >> >> Hello, >> >> This draft proposes to introduce SASL as an authentication mechanism >> into HTTP. Adding such mechanisms requires IETF Review according to RFC >> 7235. >> >> I don't know where to turn, and this has long stopped this proposal from >> progressing. It has now been proposed to go through DISPATCH, as this >> is more related to the binding with protocol headers than to SASL, which >> itself is quite clear on requirements to its carrier. >> >> I have been made aware that SASL in HTTP has been tried before; the >> reasons why that didn't finish 15 years ago are resolved in this draft: >> >> Scalability: >> >> - stateless server side (server state relays through the client) >> - sequential messages distributed over connections is no problem >> >> Security: >> >> - no fixation on DIGEST-MD5 (compatibility pulls down security) >> - support for channel binding without fixating protocol layering >> >> >> Benjamin Kaduk noted my search for IETF mechanisms and responded with: >> >>> That said, I'm happy to see work in this space and would be willing to >>> AD-sponsor it upon a recommendation of either DISPATCH group, if that is >>> the recommendation. >> >> >> The authors of the prior HTTP SASL proposal also welcome this work being >> done. >> >> >> What are your recommendations towards this work? >> >> >> Thanks, >> -Rick >> >> >> --------- >> >> >> A new version of I-D, draft-vanrein-httpauth-sasl-03.txt >> has been successfully submitted by Rick van Rein and posted to the >> IETF repository. >> >> Name: draft-vanrein-httpauth-sasl >> Revision: 03 >> Title: HTTP Authentication with SASL >> Document date: 2020-01-20 >> Group: Individual Submission >> Pages: 12 >> URL: >> https://www.ietf.org/internet-drafts/draft-vanrein-httpauth-sasl-03.txt >> Status: >> https://datatracker.ietf.org/doc/draft-vanrein-httpauth-sasl/ >> Htmlized: https://tools.ietf.org/html/draft-vanrein-httpauth-sasl-03 >> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-vanrein-httpauth-sasl >> Diff: >> https://www.ietf.org/rfcdiff?url2=draft-vanrein-httpauth-sasl-03 >> >> Abstract: >> Most application-level protocols standardise their authentication >> exchanges under the SASL framework. HTTP has taken another course, >> and often ends up replicating the work to allow individual >> mechanisms. This specification adopts full SASL authentication into >> HTTP. >> >> _______________________________________________ >> dispatch mailing list >> dispatch@ietf.org >> https://www.ietf.org/mailman/listinfo/dispatch > -- Mark Nottingham https://www.mnot.net/
- [dispatch] SASL Authentication for HTTP Rick van Rein
- Re: [dispatch] SASL Authentication for HTTP Ben Campbell
- Re: [dispatch] SASL Authentication for HTTP Mark Nottingham
- Re: [dispatch] SASL Authentication for HTTP Ben Campbell
- Re: [dispatch] SASL Authentication for HTTP Mark Nottingham
- Re: [dispatch] SASL Authentication for HTTP Rick van Rein
- Re: [dispatch] SASL Authentication for HTTP Alexey Melnikov
- Re: [dispatch] SASL Authentication for HTTP Rick van Rein