Re: [http-auth] Why is there no SASL support in HTTP?
Rick van Rein <rick@openfortress.nl> Thu, 05 January 2017 09:16 UTC
Return-Path: <rick@openfortress.nl>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B168B129439 for <http-auth@ietfa.amsl.com>; Thu, 5 Jan 2017 01:16:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZfSNXovuP421 for <http-auth@ietfa.amsl.com>; Thu, 5 Jan 2017 01:16:44 -0800 (PST)
Received: from lb1-smtp-cloud6.xs4all.net (lb1-smtp-cloud6.xs4all.net [194.109.24.24]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FB17128E19 for <http-auth@ietf.org>; Thu, 5 Jan 2017 01:16:43 -0800 (PST)
Received: from airhead.local ([IPv6:2001:980:93a5:1:3da7:3bf8:9c50:2ca7]) by smtp-cloud6.xs4all.net with ESMTP id UZGe1u0080KuCFd01ZGfTq; Thu, 05 Jan 2017 10:16:41 +0100
Message-ID: <586E0EF5.5080108@openfortress.nl>
Date: Thu, 05 Jan 2017 10:16:37 +0100
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: http-auth@ietf.org
References: <586A3C94.4090504@openfortress.nl> <8fe83a05-d104-4fee-f483-0ff74e84b80e@andrew.cmu.edu> <ECB0DAA2-0297-4AAF-AD77-42048403E884@att.com> <586E0E90.7030902@openfortress.nl>
In-Reply-To: <586E0E90.7030902@openfortress.nl>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/XV1yLdjHzBUS9QyZRQlaWpIBzGY>
Subject: Re: [http-auth] Why is there no SASL support in HTTP?
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2017 09:16:46 -0000
Hi Tony, Thanks a lot! > 1) a mechanism for SASL mechanism discovery. > 2) the willingness by client and server implementers to extend this into other SASL mechanisms. > > #1 could be solved in a straightforward fashion. But I don’t think there’s enough interest currently for #2. I have a very concrete place where I want it, and it doesn't have the usual chicken / egg problem: The Nginx proxy has a "Auth Request" mechanism where authn / authz can be performed via a HTTP call to a backend; status codes 401, 403 or 2xx are interpreted and output header values may be harvested. A similar mechanism could be used for a SASL backend. This could directly integrate with its backends for POP3, IMAP, SMTP and (3rd party) XMPP. Although there's no direct need to standardise it for this internal purpose, it may be the best way to go. That may turn out to be a useful bootstrapping path, making it flow into closed systems and gradually spreading out. Wishful thinking? There's no way to know but to try... What you are stating is mostly pragmatic, and the need to build up enthousiasm for writing it down. I think HTTP SASL is well worth the effort, and at least allow HTTP programmers to get away from the in-site coding of password logic, and adopt more mechanisms. So I now feel encouraged to write it down. Thanks! -Rick
- [http-auth] Why is there no SASL support in HTTP? Rick van Rein
- Re: [http-auth] Why is there no SASL support in H… Ken Murchison
- Re: [http-auth] Why is there no SASL support in H… HANSEN, TONY L
- Re: [http-auth] Why is there no SASL support in H… Rick van Rein
- Re: [http-auth] Why is there no SASL support in H… Rick van Rein
- Re: [http-auth] Why is there no SASL support in H… Yoav Nir