IETF Logo Mail Archive

Re: HTTP Unprompted Authentication

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 13 October 2022 20:09 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0586C157B3B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 13 Oct 2022 13:09:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.659
X-Spam-Level:
X-Spam-Status: No, score=-7.659 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3wQt1dDLfgcY for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 13 Oct 2022 13:09:46 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B644AC14CF19 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 13 Oct 2022 13:09:46 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1oj4Tc-005S7e-JC for ietf-http-wg-dist@listhub.w3.org; Thu, 13 Oct 2022 20:06:44 +0000
Resent-Date: Thu, 13 Oct 2022 20:06:44 +0000
Resent-Message-Id: <E1oj4Tc-005S7e-JC@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <ilariliusvaara@welho.com>) id 1oj4Tb-005S6g-9V for ietf-http-wg@listhub.w3.org; Thu, 13 Oct 2022 20:06:43 +0000
Received: from welho-filter2b.welho.com ([83.102.41.28] helo=welho-filter2.welho.com) by titan.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <ilariliusvaara@welho.com>) id 1oj4TZ-00CUoj-D6 for ietf-http-wg@w3.org; Thu, 13 Oct 2022 20:06:42 +0000
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id F16F8D062C for <ietf-http-wg@w3.org>; Thu, 13 Oct 2022 23:06:27 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id yXAtyn-Te4J0 for <ietf-http-wg@w3.org>; Thu, 13 Oct 2022 23:06:27 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id AC1732315 for <ietf-http-wg@w3.org>; Thu, 13 Oct 2022 23:06:26 +0300 (EEST)
Date: Thu, 13 Oct 2022 23:06:26 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <Y0hvwiN0qspglhnq@LK-Perkele-VII2.locald>
References: <166568682708.62670.1401609977193260774@ietfa.amsl.com> <CAPDSy+4KzCqEg-Nt5geb5n87KbJuD=v8pRpRWTB6NsOwr=Bh5g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAPDSy+4KzCqEg-Nt5geb5n87KbJuD=v8pRpRWTB6NsOwr=Bh5g@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Received-SPF: pass client-ip=83.102.41.28; envelope-from=ilariliusvaara@welho.com; helo=welho-filter2.welho.com
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1oj4TZ-00CUoj-D6 3f1f5e44bbc428150163b8b692c03e05
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP Unprompted Authentication
Archived-At: <https://www.w3.org/mid/Y0hvwiN0qspglhnq@LK-Perkele-VII2.locald>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40447
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Thu, Oct 13, 2022 at 11:58:56AM -0700, David Schinazi wrote:
> Hello HTTP enthusiasts,
> 
> ---------- Forwarded message ---------
> Name:           draft-schinazi-httpbis-unprompted-auth
> Revision:       00
> Title:          HTTP Unprompted Authentication
> Document date:  2022-10-13
> Group:          Individual Submission
> Pages:          9
> URL:
> https://www.ietf.org/archive/id/draft-schinazi-httpbis-unprompted-auth-00.txt

Some quick comments:

- I do not see requirement for TLS 1.3 or Extended Master Secret
  anywhere. It is not safe to use TLS Exporters for authentication
  otherwise.

- There is no requirement to include hash algorithm in signatures.
  There are TLS signature algorithms that mean totally different
  things depending on hash function, and more of those could
  appear in the future. E.g, signatures 7 and 8 already have double
  meaning (EdDSA [hash 8] and some Chinese stuff [hash 7]).

- The signatures do not appear to be contextualized in any way,
  which is questionable. For example, one could use the same
  contextualization mechanism that TLS 1.3 uses (which prepends
  64 spaces, a context label and NUL [one zero octet]).



-Ilari

v2.29.0 | Report a Bug | By Email | System Status