[http-auth] RFC 7804 One Round-Trip Reauthentication

Isen Ng <isen@treeboxsolutions.com> Mon, 28 November 2016 06:11 UTC

Return-Path: <isen@treeboxsolutions.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3781A12944D for <http-auth@ietfa.amsl.com>; Sun, 27 Nov 2016 22:11:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=treeboxsolutions-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rvQmpjgs5yjK for <http-auth@ietfa.amsl.com>; Sun, 27 Nov 2016 22:11:48 -0800 (PST)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44BDC12940C for <http-auth@ietf.org>; Sun, 27 Nov 2016 22:11:48 -0800 (PST)
Received: by mail-yw0-x234.google.com with SMTP id t125so107137017ywc.1 for <http-auth@ietf.org>; Sun, 27 Nov 2016 22:11:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=treeboxsolutions-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=BaXgjC99oCTPYzzVrfTMM8y67ZzEgp7vPMaKw+zmYPc=; b=DcNkeFu+nqZSu8e8hHQC4blT3mEgFfo479xtvA2kgAd+Q9GgtlK4SQbr6iz0Lyt85X 7uqaTBxXRTPnsgZPkm0s8Fh3WuEw0VCz6GXtXjAMLu7ygGq5df58pUbBRmTw6nUvKLrN rniZIY6YMvDz8PMuCEZ7/tZBClPYGdLPjk/rrECPnj1mzij1KwCDLwJRNHXcTf6jYESe QJUB0CrGhHq+QBH/wBUt1xky5W8SlyWYyGwQWookQBenPABhAndxiLxfI4VML4sOSjXk rRAMsaHjo4srB4l9zog8VLYsUOAnMjHCALAbFyuaEDpV6sfRsUxT5EpDlrwfr7slDN3C g6sg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=BaXgjC99oCTPYzzVrfTMM8y67ZzEgp7vPMaKw+zmYPc=; b=PUo8aW0eBJ/bED3SZLScMYoGYRymT6NpMlgWOPjtWBPcb6c/oF/wxPpNKe7AVQn5m7 UMi0DHWbC336o43tN5dBWtf/Lm11TahSlrYYBXftsn3dXDh84sjcKRc10NiPgZ01oYqU +PmXMcnB+vYNFHXMQqUqcb2IV2odKQ3KKZWv/kOkbLzuVOoRCOI7ALmNi2uhIYxaC0R7 RqKZN9h3EjJzKlpyNGm+AAYjs3tdZZFec8l4n0laYeBZcCASt3dgZQJrTZkPCrdH1hIk n4qv+gZFhFAaARbbL6RBTvlC/QNDAokoqvFFsuOiBnYm6gr4vmY7NMVttxyL8wShI6EG flfg==
X-Gm-Message-State: AKaTC01sHtmqhj97hDxbn+uy3JoEXR6JK5BIpuMvd6XNPEXPsfyTCKxbmocQN4mCPeJy8IPTCD5fktOIbBTOVd94
X-Received: by 10.129.206.2 with SMTP id t2mr27453875ywi.181.1480313507386; Sun, 27 Nov 2016 22:11:47 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.112.137 with HTTP; Sun, 27 Nov 2016 22:11:46 -0800 (PST)
From: Isen Ng <isen@treeboxsolutions.com>
Date: Mon, 28 Nov 2016 14:11:46 +0800
Message-ID: <CABR9bnzG9Zv+YYN5psnLZzyHUBzg14WVH8VuJkG_w4YZb4PRhg@mail.gmail.com>
To: http-auth@ietf.org
Content-Type: multipart/alternative; boundary=94eb2c1a0272c3c9ce0542565878
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/0uBodMIrFVUVP9gknu9lMEBsEz4>
X-Mailman-Approved-At: Sun, 27 Nov 2016 22:45:47 -0800
Subject: [http-auth] RFC 7804 One Round-Trip Reauthentication
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2016 06:12:59 -0000

Hi,

I'm looking at RFC 7804, specifically at "One Round-Trip Reauthentication" (
https://tools.ietf.org/html/rfc7804#page-10).

It is said that

"If the client has authenticated to the same realm before (i.e., it
remembers "i" and "s" attributes for the user from earlier
authentication exchanges with the server), it can respond to that
with "client-final-message""

And the example give:

C: GET /resource HTTP/1.1
C: Host: server.example.com
C: Authorization: SCRAM-SHA-256 realm="testrealm@example.com".com",
          data=Yz1iaXdzLHI9ck9wck5HZndFYmVSV2diTkVrcU80MDk2JWh2WURwV1VhM
           lJhVENBZnV4RklsailoTmxGLHA9ZEh6YlphcFdJazRqVWhOK1V0ZTl5dGFnOX
           pqZk1IZ3NxbW1pejdBbmRWUT0K

C: [...]

In this case, there no longer is an attribute named "sid" in this
"client-final-message".
How does the server know which user's secret to use to calculate the proof
for matching?

Regards,
Isen