Re: [http-auth] Why is there no SASL support in HTTP?

Rick van Rein <rick@openfortress.nl> Mon, 14 August 2017 16:19 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C7A112426E for <http-auth@ietfa.amsl.com>; Mon, 14 Aug 2017 09:19:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level:
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NXP4qDJqJCro for <http-auth@ietfa.amsl.com>; Mon, 14 Aug 2017 09:19:37 -0700 (PDT)
Received: from lb1-smtp-cloud9.xs4all.net (lb1-smtp-cloud9.xs4all.net [194.109.24.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABF24124207 for <http-auth@ietf.org>; Mon, 14 Aug 2017 09:19:35 -0700 (PDT)
Received: from airhead.local ([IPv6:2001:980:93a5:1:681e:d64c:e91a:ef73]) by smtp-cloud9.xs4all.net with ESMTPSA id hI5UdYaB8dRLjhI5VdPH5R; Mon, 14 Aug 2017 18:19:34 +0200
Message-ID: <5991CD93.5090203@openfortress.nl>
Date: Mon, 14 Aug 2017 18:19:31 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: http-auth@ietf.org
References: <586A3C94.4090504@openfortress.nl>
In-Reply-To: <586A3C94.4090504@openfortress.nl>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4wfO9s36AcWZvo35i0w4yYYK180MwjMsBjFGHcyCiICTlS0Z9nFytVmMxohBQZWLZfwh+a5W/DSJrt2YhTwd0+IiFaTlGhQqcd7tKz4FlMCDNap0M3BAiR JHWLwcxRlbypZ7UoQb+wCUvptReg8OoxIW0WmEZrN5quTZoMYfTFs3Fi3g7LlqZO0OLVQPeYRluOGrPkJQsRHXvHwEXkeQEiOuNyMV3ScGpXCgemp3wmxv5A Azf+/9yMJB7FsPNrjutH8C+jpv1bzFAp82hUI3xm7kM=
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/2ggAg3YlN7NhBUOzZxAWbxhlWbg>
Subject: Re: [http-auth] Why is there no SASL support in HTTP?
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 16:19:39 -0000

Hello former WG,

In Januari I wrote...

> I've been wondering why HTTP Authentication does not support SASL, but
> instead chooses independent mechanisms from SASL?

...and given the positive replies back then, I have now written a draft
to cover this idea.

https://datatracker.ietf.org/doc/draft-vanrein-httpauth-sasl/

Related to this is a proposal that can be helpful to pass SASL over EAP
to (shared) backend infrastructure,

https://datatracker.ietf.org/doc/draft-vanrein-eap-sasl/


It includes channel binding, which AFAIK is new to HTTP, but SASL is
clear about how to do this: skip over the application protocol and
incorporate TLS through tls-unique, as a minimum mechanism.  So the
reasoning for SCRAM-* to not support it because HTTP does not define it,
does not seem to apply here.  I hope I'm not poking in a hornet's nest
by saying this...


Given that the HTTPAUTH WG has been dismantled, I am not sure what to do
next.  Any advise is welcome.


Best wishes,

Rick van Rein
InternetWide.org / ARPA2.net / OpenFortress.nl