Re: Requesting reviews of draft-vanrein-httpauth-sasl

James <james.ietf@gmail.com> Thu, 14 May 2020 15:35 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07FCE3A0B24 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 May 2020 08:35:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.748
X-Spam-Level:
X-Spam-Status: No, score=-2.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TS1QpN6fbYjE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 May 2020 08:35:56 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60BCD3A0B1C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 14 May 2020 08:35:56 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jZFr7-0006v5-FZ for ietf-http-wg-dist@listhub.w3.org; Thu, 14 May 2020 15:33:05 +0000
Resent-Date: Thu, 14 May 2020 15:33:05 +0000
Resent-Message-Id: <E1jZFr7-0006v5-FZ@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <james.ietf@gmail.com>) id 1jZFr5-0006ju-QC for ietf-http-wg@listhub.w3.org; Thu, 14 May 2020 15:33:03 +0000
Received: from mail-wr1-x435.google.com ([2a00:1450:4864:20::435]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <james.ietf@gmail.com>) id 1jZFr1-0003Xp-Ul for ietf-http-wg@w3.org; Thu, 14 May 2020 15:33:03 +0000
Received: by mail-wr1-x435.google.com with SMTP id j5so4787378wrq.2 for <ietf-http-wg@w3.org>; Thu, 14 May 2020 08:32:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=QDtIsYTfFJu7TIBO/tyRztIFUCdeLCTQeTO0CosnI30=; b=cHEjqsinTR2R334ST7NtRHPS4G9A7nc7ZsM106z/faGeaDdS4NvZW0pwE4FiTUohYe sfgw/cTfXQ3VFd1AVuXq9Tjulpb1IF9kqh5g1SYXP3fJ9i6kFgPSyOtm9fnFJ+OTHhqH gq8hTJEfeRBEEe4hkmYpS1AOybccX8W47hsADwiQqDuuc8PIkcBPJSwI/AaDeMG5YKZj jER3mGHu9u0Pvy9WcyHi3B1zcnsOkCS2U2YGkElZje513MaKZwk0GH2W6rmG5uevCXve rGdVG6g/OWgLhwyZ64ug7BNtAbsnhufPL5PKsxDDAbIE1jHmocm+4vLKxIiwRd4pJaJN bWhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=QDtIsYTfFJu7TIBO/tyRztIFUCdeLCTQeTO0CosnI30=; b=tCXnfWdNFYZQBhgspE1Yzyar/QWtGOvYhtwFFW+XMVvJGNe19X044e0XRJCti1iOJV v86Trugse50wb/ajPGTHJN7Yaosv6Yh3WZyOINsfsb3fb54PX1FZ6jo8o9PSyBOlVMRK K3zlltlbDNwsZvpXXREgDLilvIsA68/tiARXuosFICRUx3TacWaIPAOjgH5P0QAmOIwV goZW27BBCzDj8S2SfKp3F9YE2Ppsb2lwFELfMo53GdYY0O1092v7v5cenryOEI3EWsyL AjoguVnBtq6+UfqRpz5K7TWRW6+1bN1StgYs39FMIEhsBrm6uzw70FwBC8/H3/KgDro4 mtzQ==
X-Gm-Message-State: AOAM531R9t+O0CrGMHdWjqXs+yNdbfasxgxutCeBMC3ltkycbYx48O06 qNAh4k96TVBoLPJbH2ECNV+p3Bjv
X-Google-Smtp-Source: ABdhPJxmCnCe9l2TqGpE0KikWWuk0xJMUCW1ck1dO7FJ/nSmJovmYch8+tk5sbnpzJlUfH7GoR02aQ==
X-Received: by 2002:adf:d849:: with SMTP id k9mr6096878wrl.304.1589470368305; Thu, 14 May 2020 08:32:48 -0700 (PDT)
Received: from ?IPv6:2a02:c7f:60b:e000:99d4:ac7a:fd54:a5cf? ([2a02:c7f:60b:e000:99d4:ac7a:fd54:a5cf]) by smtp.gmail.com with ESMTPSA id a24sm40216601wmb.24.2020.05.14.08.32.47 for <ietf-http-wg@w3.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 14 May 2020 08:32:47 -0700 (PDT)
To: ietf-http-wg@w3.org
References: <B9974B38-6CC7-4979-B08C-ADA6EB22A66A@apple.com>
From: James <james.ietf@gmail.com>
Message-ID: <3b29ffdf-54dc-4e36-f3c9-d224423b357b@gmail.com>
Date: Thu, 14 May 2020 16:32:46 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Thunderbird/77.0
MIME-Version: 1.0
In-Reply-To: <B9974B38-6CC7-4979-B08C-ADA6EB22A66A@apple.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Received-SPF: pass client-ip=2a00:1450:4864:20::435; envelope-from=james.ietf@gmail.com; helo=mail-wr1-x435.google.com
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jZFr1-0003Xp-Ul c4215a365f371821921bba1cbbb4939c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Requesting reviews of draft-vanrein-httpauth-sasl
Archived-At: <https://www.w3.org/mid/3b29ffdf-54dc-4e36-f3c9-d224423b357b@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37617
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I've had a brief review of this document and  have a comment to a part 
of the security considerations:

 > This means that a secure transport layer must be used, like TLS.  The 
termination of such a secure layer MUST also terminate any ongoing SASL 
handshakes.

Isn't this incompatible with use cases where TLS termination is 
separated from the processing of the HTTP request such is common in 
CDNs, or where a trusted proxy is involved?

- J

On 05/05/2020 23:11, Tommy Pauly wrote:
> Hello HTTPbis,
>
> At the virtual meeting of secdispatch at IETF 107, a proposal for SASL in HTTP was presented. The outcome of that discussion was to discuss it at the next HTTPbis meeting.
>
> This document is on our virtual interim agenda for May 19 (https://github.com/httpwg/wg-materials/blob/gh-pages/interim-20-05/agenda.md):
>
> https://tools.ietf.org/html/draft-vanrein-httpauth-sasl-04
>
> There was some brief discussion on the mailing list about this document in January, but there hasn’t been substantial discussion since. Ahead of our virtual meeting, it’d be great to get a few more eyes on this document and have some reviews or thoughts posted to the list.
>
> Thanks!
> Tommy (as co-chair)