IETF Logo Mail Archive

Re: [http-auth] Authentication-Info

Ken Murchison <murch@andrew.cmu.edu> Tue, 02 December 2014 14:25 UTC

Return-Path: <murch@andrew.cmu.edu>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB08D1A1B6D for <http-auth@ietfa.amsl.com>; Tue, 2 Dec 2014 06:25:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ey9JtOie2wNg for <http-auth@ietfa.amsl.com>; Tue, 2 Dec 2014 06:25:07 -0800 (PST)
Received: from smtp.andrew.cmu.edu (SMTP.ANDREW.CMU.EDU [128.2.105.204]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAA781ACDFF for <http-auth@ietf.org>; Tue, 2 Dec 2014 06:25:06 -0800 (PST)
Received: from localhost.localdomain (cpe-76-180-151-43.buffalo.res.rr.com [76.180.151.43]) (user=murch mech=PLAIN (0 bits)) by smtp.andrew.cmu.edu (8.14.8/8.14.8) with ESMTP id sB2EP4Ov008034 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <http-auth@ietf.org>; Tue, 2 Dec 2014 09:25:05 -0500
Message-ID: <547DCBC0.4090202@andrew.cmu.edu>
Date: Tue, 02 Dec 2014 09:25:04 -0500
From: Ken Murchison <murch@andrew.cmu.edu>
Organization: Carnegie Mellon University
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: http-auth@ietf.org
References: <547DB5D1.5040909@gmx.de>
In-Reply-To: <547DB5D1.5040909@gmx.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-PMX-Version: 6.0.3.2322014, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2014.12.2.141532
X-SMTP-Spam-Clean: 33% ( SXL_IP_DYNAMIC 3, TO_IN_SUBJECT 0.5, HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1700_1799 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, DATE_TZ_NA 0, FROM_EDU_TLD 0, RDNS_GENERIC_POOLED 0, RDNS_POOLED 0, RDNS_RESIDENTIAL 0, RDNS_SUSP 0, RDNS_SUSP_GENERIC 0, RDNS_SUSP_SPECIFIC 0, REFERENCES 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __FORWARDED_MSG 0, __HAS_FROM 0, __HAS_MSGID 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MOZILLA_MSGID 0, __MOZILLA_USER_AGENT 0, __PHISH_SPEAR_STRUCTURE_1 0, __RDNS_POOLED_1 0, __REFERENCES 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __SUBJ_ALPHA_NEGATE 0, __TO_IN_SUBJECT 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NO_MAILTO 0, __URI_NO_WWW 0, __URI_NS , __USER_AGENT 0)
X-SMTP-Spam-Score: 33%
X-Scanned-By: MIMEDefang 2.74 on 128.2.105.204
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/iAuVRtiPORXLBphSsaf-wDSTQIk
Subject: Re: [http-auth] Authentication-Info
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 14:25:09 -0000

On 12/02/2014 07:51 AM, Julian Reschke wrote:
> Hi there,
>
> this is a minor outstanding issue with the Digest and SCRAM drafts. It 
> was discussed in both the WG sessions and in hallway conversations.
>
> This header field originally was defined in the "Digest" part of RFC 
> 2617, and consequently, it was copied over into 
> <http://tools.ietf.org/html/draft-ietf-httpauth-digest-08#section-3.5>.
>
> <http://tools.ietf.org/html/draft-ietf-httpauth-scram-auth-04> 
> currently uses it as well, but with with a slightly differing syntax.
>
> Given the fact that we have two authentication scheme definitions that 
> have a use case for this header field -- shouldn't we define it in a 
> way so that it becomes a generic (optional) feature for 
> authentications schemes?
>
> Choices:
>
> 1) The cleanest approach seems to move the definition into a separate 
> spec which later can be absorbed by a future RFC7235bis. I volunteer 
> to write that spec (it'll be very short), but this would require 
> changes to the Digest spec post-WGLC.

I'm in favor of this approach.



>
> 2) Alternatively, we could tune the Digest draft to introduce the 
> header field in a more generic way, allowing other schemes to use it 
> as well. That would avoid a dependency to a yet unwritten spec, but 
> the complexity wouldn't really change.

This would be my second choice.



>
> 3) We can tell Alexey to pick a different field name, which would 
> shift all required changes to the SCRAM spec.

This is a non-starter as far as I'm concerned.  Two separate response 
header fields to return auth success data seems clumsy.


-- 
Kenneth Murchison
Principal Systems Software Engineer
Carnegie Mellon University

v2.23.0 | Report a Bug | By Email