Re: Working Group Last Call: draft-ietf-httpbis-auth-info
Julian Reschke <julian.reschke@gmx.de> Wed, 11 February 2015 10:48 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DE7B1A87E9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 11 Feb 2015 02:48:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GfBzH55eFQhl for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 11 Feb 2015 02:48:55 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E0091A87E8 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 11 Feb 2015 02:48:55 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YLUns-00005B-NI for ietf-http-wg-dist@listhub.w3.org; Wed, 11 Feb 2015 10:45:56 +0000
Resent-Date: Wed, 11 Feb 2015 10:45:56 +0000
Resent-Message-Id: <E1YLUns-00005B-NI@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <julian.reschke@gmx.de>) id 1YLUnn-0008W3-AL for ietf-http-wg@listhub.w3.org; Wed, 11 Feb 2015 10:45:51 +0000
Received: from mout.gmx.net ([212.227.17.20]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1YLUnm-0000SJ-5o for ietf-http-wg@w3.org; Wed, 11 Feb 2015 10:45:51 +0000
Received: from [192.168.1.26] ([217.91.35.233]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0M7TQZ-1XQlZI48Fr-00xO1x; Wed, 11 Feb 2015 11:45:20 +0100
Message-ID: <54DB32BB.10609@gmx.de>
Date: Wed, 11 Feb 2015 11:45:15 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
References: <0E4872BF-EBCB-42C0-9BF9-8BC179C1BDDA@mnot.net> <54DAB257.5000203@treenet.co.nz> <54DB1630.3040306@gmx.de> <54DB2A89.2010001@treenet.co.nz>
In-Reply-To: <54DB2A89.2010001@treenet.co.nz>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:HDiB4arVknFfmUdq3jrOOkS4x/sdpQ6u8K7Xjj3VepAr/Qz6Tqe itTe/e6/YN5ZpvM5t6JP/Gth5s0KQO5y/aY6jr1tQvIvAzNjvDs1Umf5VdRuUncMc9wbkgl F3+bYJ18QzQOAxc2Prr1amAtJ+KEmRErxHa3sqD1U3ewRU8VZquUtmkvfp4+hbvmuFFSc1n PkdmvoQDbqavOjikDFAKQ==
X-UI-Out-Filterresults: notjunk:1;
Received-SPF: pass client-ip=212.227.17.20; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-Spam-Status: No, score=-4.3
X-W3C-Hub-Spam-Report: AWL=-2.414, BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1YLUnm-0000SJ-5o adb74a22232c7195bc33d9dd744c8efe
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Working Group Last Call: draft-ietf-httpbis-auth-info
Archived-At: <http://www.w3.org/mid/54DB32BB.10609@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/28821
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 2015-02-11 11:10, Amos Jeffries wrote: > ... > ... >>> With mention specifically about how it differs from Authentication-Info >>> by being hop-by-hop. >> >> Hmm, why is it hop-by-hop? > > > First Proxy-Auth* are explicitly hop-by-hop. This not being so violates > the principle of least surprise. > > It would leak the proxies network credentials related data to the client. > > With result such as; In a proxy chain of A<-B<-C<-D<-E with different > authentications happening in the hop D->C and the hop C->B. If the > header was treated as end-to-end D would be participating in the B->C > authentication. Understood, but that doesn't make it hop-by-hop, but something in between, right? >>> Under security considerations I believe it would be good to mention that >>> recipients of the Authentication-Info header in any response should >>> (ought to or SHOULD?) treat the transaction as if it were authenticated >>> even if the RFC7235 headers are not present. >> >> Why? >> >> (Remember that the intent of the spec was simply to extract the >> definition from RFC 2617; so if we make additional changes they need to >> be, well, understood) > > Information leak vulnerabilities. Yes, but why would you send Authentication-Info in a response when Authenticate was not present in the request? > "ought to" is fine with me if you really want to stick with the > non-normative. >> >>> Some of the use-cases I see for this header include out-of-band >>> authentication. If the server is treating the reply as authenticated it >>> may inadvertently include private information in the payload or other >>> headers. >>> >>> >>> >>> Also, Yutaka brought up the issue of association between selected scheme >>> and Authentication-Info contents. I believe this document is the right >>> place to reserve a parameter scheme= which takes the auth-scheme as its >>> value for the purpose in the same way RFC 7235 reserves the realm= >>> parameter for use across schemes. >> >> That was already answered. There can only be one authentication >> happening at a single time (plus one proxy authentication). > > Except in the case above where the D header leaks to B because the C > implementer did not treat it as hop-by-hop. But the spec does not > (currently) say anything about it being different from > Authentication-Info which is end-to-end ... so they were able to > compliantly choose that nasty interpretation. Again, we need to find the right terminology here. As far as I understand proxy auth, it's neither end-to-end (UA to origin server) nor hop-by-hop. I do agree that the description of proxy authentication is weak in 7235, but by all means let's fix it over there, not here. Best regards, Julian
- Working Group Last Call: draft-ietf-httpbis-auth-… Mark Nottingham
- Re: Working Group Last Call: draft-ietf-httpbis-a… Bjoern Hoehrmann
- Re: Working Group Last Call: draft-ietf-httpbis-a… Amos Jeffries
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Amos Jeffries
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Amos Jeffries
- Re: Working Group Last Call: draft-ietf-httpbis-a… Yutaka OIWA
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Hervé Ruellan
- Re: Working Group Last Call: draft-ietf-httpbis-a… Mark Nottingham
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Mark Nottingham
- Re: Working Group Last Call: draft-ietf-httpbis-a… Yutaka OIWA
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Amos Jeffries
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Amos Jeffries
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke