IETF Logo Mail Archive

Re: [http-auth] Authentication-Info

Julian Reschke <julian.reschke@gmx.de> Tue, 02 December 2014 14:11 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D77391A1B6D for <http-auth@ietfa.amsl.com>; Tue, 2 Dec 2014 06:11:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uUV-KudjVfpC for <http-auth@ietfa.amsl.com>; Tue, 2 Dec 2014 06:11:33 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 921DE1A1B68 for <http-auth@ietf.org>; Tue, 2 Dec 2014 06:11:33 -0800 (PST)
Received: from [192.168.1.26] ([217.91.35.233]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0Lkwc9-1YTUxk3uuj-00ajIK; Tue, 02 Dec 2014 15:11:26 +0100
Message-ID: <547DC889.1070607@gmx.de>
Date: Tue, 02 Dec 2014 15:11:21 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Michael Sweet <msweet@apple.com>
References: <547DB5D1.5040909@gmx.de> <80CDF820-6493-46BD-BB36-2E4990B966DF@apple.com>
In-Reply-To: <80CDF820-6493-46BD-BB36-2E4990B966DF@apple.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:Hm2S28Yjr0lKrssCVItuCvHAdeG4czVFTAo4yVLoctBqDbogsxG wm+AQgdbHiNwn9fNPFRXw5c4V0CUqE7otlz4c/GF0wiKruPpwq57T4Kx4JX/C1iL/bZjuue QvEHqQrynv6/Ba+wCem4BYIhU1pwvak6UZpIIOOicDS2DiCzfSkL8SxM3r3RPGp18jou5jG cMskZdBQ5JECE2iYmvDqQ==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/dtJtCNVMCraToOmarXmHlgDZGyA
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] Authentication-Info
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 14:11:41 -0000

On 2014-12-02 15:06, Michael Sweet wrote:
> Julian,
>
>> On Dec 2, 2014, at 7:51 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
>>
>> Hi there,
>>
>> this is a minor outstanding issue with the Digest and SCRAM drafts. It was discussed in both the WG sessions and in hallway conversations.
>>
>> This header field originally was defined in the "Digest" part of RFC 2617, and consequently, it was copied over into <http://tools.ietf.org/html/draft-ietf-httpauth-digest-08#section-3.5>.
>>
>> <http://tools.ietf.org/html/draft-ietf-httpauth-scram-auth-04> currently uses it as well, but with with a slightly differing syntax.
>>
>> Given the fact that we have two authentication scheme definitions that have a use case for this header field -- shouldn't we define it in a way so that it becomes a generic (optional) feature for authentications schemes?
>>
>> Choices:
>>
>> 1) The cleanest approach seems to move the definition into a separate spec which later can be absorbed by a future RFC7235bis. I volunteer to write that spec (it'll be very short), but this would require changes to the Digest spec post-WGLC.
>>
>> 2) Alternatively, we could tune the Digest draft to introduce the header field in a more generic way, allowing other schemes to use it as well. That would avoid a dependency to a yet unwritten spec, but the complexity wouldn't really change.
>>
>> 3) We can tell Alexey to pick a different field name, which would shift all required changes to the SCRAM spec.
>
> In the interests of schedule, I would favor options 2 and 3.

I believe we can get done 1) quickly enough.

> In the interests of reuse/generic use, option 2 would seem to be the way to go.
>
> If we want to minimize changes to both specs, then extending the ABNF in the digest spec to include an optional initial auth-scheme would take of things.  Alternately we can just define a standard "scheme" parameter that contains the auth-scheme value, which has the added benefit of allowing new Digest implementations to include it without breaking existing ones.

Changing the syntax sounds like a breaking change to Digest to me.

Adding a scheme *parameter* would work, but I wonder why that is needed 
anyway. Alexey?

> (and of course nothing prevents a 7235bis from adopting the definition in the new Digest spec, you just avoid the delay of developing a dependent spec now...)
>
> _________________________________________________________
> Michael Sweet, Senior Printing System Engineer, PWG Chair
>


Best regards, Julian

v2.23.0 | Report a Bug | By Email