Re: Requesting reviews of draft-vanrein-httpauth-sasl

James <> Thu, 14 May 2020 15:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 07FCE3A0B24 for <>; Thu, 14 May 2020 08:35:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.748
X-Spam-Status: No, score=-2.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TS1QpN6fbYjE for <>; Thu, 14 May 2020 08:35:56 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 60BCD3A0B1C for <>; Thu, 14 May 2020 08:35:56 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jZFr7-0006v5-FZ for; Thu, 14 May 2020 15:33:05 +0000
Resent-Date: Thu, 14 May 2020 15:33:05 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jZFr5-0006ju-QC for; Thu, 14 May 2020 15:33:03 +0000
Received: from ([2a00:1450:4864:20::435]) by with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <>) id 1jZFr1-0003Xp-Ul for; Thu, 14 May 2020 15:33:03 +0000
Received: by with SMTP id j5so4787378wrq.2 for <>; Thu, 14 May 2020 08:32:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=QDtIsYTfFJu7TIBO/tyRztIFUCdeLCTQeTO0CosnI30=; b=cHEjqsinTR2R334ST7NtRHPS4G9A7nc7ZsM106z/faGeaDdS4NvZW0pwE4FiTUohYe sfgw/cTfXQ3VFd1AVuXq9Tjulpb1IF9kqh5g1SYXP3fJ9i6kFgPSyOtm9fnFJ+OTHhqH gq8hTJEfeRBEEe4hkmYpS1AOybccX8W47hsADwiQqDuuc8PIkcBPJSwI/AaDeMG5YKZj jER3mGHu9u0Pvy9WcyHi3B1zcnsOkCS2U2YGkElZje513MaKZwk0GH2W6rmG5uevCXve rGdVG6g/OWgLhwyZ64ug7BNtAbsnhufPL5PKsxDDAbIE1jHmocm+4vLKxIiwRd4pJaJN bWhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=QDtIsYTfFJu7TIBO/tyRztIFUCdeLCTQeTO0CosnI30=; b=tCXnfWdNFYZQBhgspE1Yzyar/QWtGOvYhtwFFW+XMVvJGNe19X044e0XRJCti1iOJV v86Trugse50wb/ajPGTHJN7Yaosv6Yh3WZyOINsfsb3fb54PX1FZ6jo8o9PSyBOlVMRK K3zlltlbDNwsZvpXXREgDLilvIsA68/tiARXuosFICRUx3TacWaIPAOjgH5P0QAmOIwV goZW27BBCzDj8S2SfKp3F9YE2Ppsb2lwFELfMo53GdYY0O1092v7v5cenryOEI3EWsyL AjoguVnBtq6+UfqRpz5K7TWRW6+1bN1StgYs39FMIEhsBrm6uzw70FwBC8/H3/KgDro4 mtzQ==
X-Gm-Message-State: AOAM531R9t+O0CrGMHdWjqXs+yNdbfasxgxutCeBMC3ltkycbYx48O06 qNAh4k96TVBoLPJbH2ECNV+p3Bjv
X-Google-Smtp-Source: ABdhPJxmCnCe9l2TqGpE0KikWWuk0xJMUCW1ck1dO7FJ/nSmJovmYch8+tk5sbnpzJlUfH7GoR02aQ==
X-Received: by 2002:adf:d849:: with SMTP id k9mr6096878wrl.304.1589470368305; Thu, 14 May 2020 08:32:48 -0700 (PDT)
Received: from ?IPv6:2a02:c7f:60b:e000:99d4:ac7a:fd54:a5cf? ([2a02:c7f:60b:e000:99d4:ac7a:fd54:a5cf]) by with ESMTPSA id a24sm40216601wmb.24.2020. for <> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 14 May 2020 08:32:47 -0700 (PDT)
References: <>
From: James <>
Message-ID: <>
Date: Thu, 14 May 2020 16:32:46 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Thunderbird/77.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Received-SPF: pass client-ip=2a00:1450:4864:20::435;;
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1jZFr1-0003Xp-Ul c4215a365f371821921bba1cbbb4939c
Subject: Re: Requesting reviews of draft-vanrein-httpauth-sasl
Archived-At: <>
X-Mailing-List: <> archive/latest/37617
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

I've had a brief review of this document and  have a comment to a part 
of the security considerations:

 > This means that a secure transport layer must be used, like TLS.  The 
termination of such a secure layer MUST also terminate any ongoing SASL 

Isn't this incompatible with use cases where TLS termination is 
separated from the processing of the HTTP request such is common in 
CDNs, or where a trusted proxy is involved?

- J

On 05/05/2020 23:11, Tommy Pauly wrote:
> Hello HTTPbis,
> At the virtual meeting of secdispatch at IETF 107, a proposal for SASL in HTTP was presented. The outcome of that discussion was to discuss it at the next HTTPbis meeting.
> This document is on our virtual interim agenda for May 19 (
> There was some brief discussion on the mailing list about this document in January, but there hasn’t been substantial discussion since. Ahead of our virtual meeting, it’d be great to get a few more eyes on this document and have some reviews or thoughts posted to the list.
> Thanks!
> Tommy (as co-chair)