Re: Client requesting authentication on server & thomson-httpbis-catch
"henry.story@bblfish.net" <henry.story@bblfish.net> Wed, 26 March 2014 08:37 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB2E91A02E9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 26 Mar 2014 01:37:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cyJKrpekAe0a for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 26 Mar 2014 01:37:09 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 7BB0A1A02E2 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 26 Mar 2014 01:37:07 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WSjJI-0003xA-2O for ietf-http-wg-dist@listhub.w3.org; Wed, 26 Mar 2014 08:35:44 +0000
Resent-Date: Wed, 26 Mar 2014 08:35:44 +0000
Resent-Message-Id: <E1WSjJI-0003xA-2O@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <henry.story@bblfish.net>) id 1WSjJ4-0003wN-74 for ietf-http-wg@listhub.w3.org; Wed, 26 Mar 2014 08:35:30 +0000
Received: from mail-we0-f177.google.com ([74.125.82.177]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <henry.story@bblfish.net>) id 1WSjJ2-0006u6-ER for ietf-http-wg@w3.org; Wed, 26 Mar 2014 08:35:30 +0000
Received: by mail-we0-f177.google.com with SMTP id u57so883809wes.22 for <ietf-http-wg@w3.org>; Wed, 26 Mar 2014 01:35:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=rJO19lBnBrZLwuAWOk+xn3nS6Smv3jteIReoM8FCkww=; b=ZfF0UgOmLfykby5rCcgOxhPfww4U5+zDUENKilnzbeAS1GGPFJmXNLe8fFjP6iCeR7 X4eaGoyazLSY80x4mOshrhS/XbHEJ4DC6OU4aZnLw5mjOMsSb4U9gEdhhEBaf4xr1onW KE0NBopFQnAtkCaR8JNX/JSQZewNJHK1ufL6x+JHgUPHEKQqINuzEUQHDa5tFiONeAah LIp8htz2TU96nuS3AsfN6bY23QfD9XClu2qLbR4QPSok24wZ0qIlN2NUJnn9RLvH5pQj r19XKWnD7mVwlXLagRmphjdY6cYgraiqvv3M6zQk/NL1TaWlomQFKS4QcqQAG97NL9ii FN+Q==
X-Gm-Message-State: ALoCoQn9pJ9ZLq60fALlGuGHYsysVKoSpDacuwP+rWAcXAm9yeFXMKMYC2cS578ueIwO1nR8v6I3
X-Received: by 10.180.103.227 with SMTP id fz3mr29454519wib.29.1395822902100; Wed, 26 Mar 2014 01:35:02 -0700 (PDT)
Received: from [192.168.1.10] (AAubervilliers-651-1-317-247.w83-200.abo.wanadoo.fr. [83.200.28.247]) by mx.google.com with ESMTPSA id ga20sm690243wic.0.2014.03.26.01.34.56 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 26 Mar 2014 01:34:56 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: "henry.story@bblfish.net" <henry.story@bblfish.net>
In-Reply-To: <C2723A44-E086-4BDD-8157-7438E7110661@mnot.net>
Date: Wed, 26 Mar 2014 09:34:53 +0100
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Martin Thomson <martin.thomson@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <BA0B2E3F-BAEA-4476-9135-CB48C80B0BB8@bblfish.net>
References: <EA2F3433-23B1-40A4-8A5B-943FDFEEAB6C@bblfish.net> <74632FC5-6250-45B4-8A90-E280A96423B6@bblfish.net> <C2723A44-E086-4BDD-8157-7438E7110661@mnot.net>
To: Mark Nottingham <mnot@mnot.net>
X-Mailer: Apple Mail (2.1874)
Received-SPF: none client-ip=74.125.82.177; envelope-from=henry.story@bblfish.net; helo=mail-we0-f177.google.com
X-W3C-Hub-Spam-Status: No, score=-3.8
X-W3C-Hub-Spam-Report: AWL=-3.100, RCVD_IN_DNSWL_LOW=-0.7
X-W3C-Scan-Sig: lisa.w3.org 1WSjJ2-0006u6-ER b0b1ac032cea1d38cab68121ccb91aea
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client requesting authentication on server & thomson-httpbis-catch
Archived-At: <http://www.w3.org/mid/BA0B2E3F-BAEA-4476-9135-CB48C80B0BB8@bblfish.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/22917
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 21 Mar 2014, at 02:12, Mark Nottingham <mnot@mnot.net> wrote: > > On 20 Mar 2014, at 1:42 am, henry.story@bblfish.net wrote: > >> So presumably here one could extend the current client "Authorization" header to >> something like >> >> Authorization: Certificate >> >> So I see that new schemes can be registered at >> >> http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-26#section-5.1.2 >> https://www.ietf.org/rfc/rfc2617.txt >> >> This does require server side TLS renegotiation to work, but that's where we are at >> present. > > I think this makes the most sense, in that then you could send > > Vary: Authorization > > to indicate that the response varies based upon that header. > Might be good to put a hash of the cert into the header... In current popular browsers it is not possible for JS to access the certificates in the keystore, or to calculate their hashes. [1] This would be possible for web crawlers though ( since those can be programmed to do whatever we want ). In both cases giving the hash of a certificate in advance could leak identifying information, and would require the client to have made up its mind in advance as to what certificate it wanted to use. But I suppose if the request follows a response containing a "WWW-Authenticate: Certificate" header or if the client knows that it wants to be identified, then that would make sense anyway. What was the situation in which you could see an advantage of putting a hash of the cert in the header ? ( which header?) Thanks, Henry [1] But I have not followed carefully the Web Crypto APIs evolution. > > Cheers, > > -- > Mark Nottingham http://www.mnot.net/ > > > Social Web Architect http://bblfish.net/
- Re: Client requesting authentication on server & … henry.story@bblfish.net
- Client requesting authentication on server & thom… henry.story@bblfish.net
- Re: Client requesting authentication on server & … Mark Nottingham
- Re: Client requesting authentication on server & … henry.story@bblfish.net
- Re: Client requesting authentication on server & … Mark Nottingham
- Re: Client requesting authentication on server & … Amos Jeffries