IETF Logo Mail Archive

Re: Call for Adoption: HTTP Unprompted Authentication

Martin Thomson <mt@lowentropy.net> Fri, 24 February 2023 04:38 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5357DC15152F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 23 Feb 2023 20:38:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.048
X-Spam-Level:
X-Spam-Status: No, score=-5.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="i2uQ3Xj3"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="XgrFWHdh"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fmgZ2SbaL5Xj for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 23 Feb 2023 20:38:40 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3C43C14CEE3 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 23 Feb 2023 20:38:39 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1pVPog-0099E3-0X for ietf-http-wg-dist@listhub.w3.org; Fri, 24 Feb 2023 04:36:18 +0000
Resent-Date: Fri, 24 Feb 2023 04:36:18 +0000
Resent-Message-Id: <E1pVPog-0099E3-0X@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <mt@lowentropy.net>) id 1pVPod-0099DA-VF for ietf-http-wg@listhub.w3.org; Fri, 24 Feb 2023 04:36:16 +0000
Received: from out3-smtp.messagingengine.com ([66.111.4.27]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <mt@lowentropy.net>) id 1pVPod-00CjhQ-4o for ietf-http-wg@w3.org; Fri, 24 Feb 2023 04:36:16 +0000
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 4435A5C0183 for <ietf-http-wg@w3.org>; Thu, 23 Feb 2023 23:36:02 -0500 (EST)
Received: from imap41 ([10.202.2.91]) by compute6.internal (MEProxy); Thu, 23 Feb 2023 23:36:02 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm2; t=1677213362; x=1677299762; bh=e0uthNFxam /yPe3NavAdGgZWgXVppjgLxybMtvWVhqc=; b=i2uQ3Xj3MsUP/euzYGjqJEf/gG N25aIffnlA2NLihZcoMF9YdbJYsgRlnlySufXADMVtqIJdqNf0Hn128mnDAi36kn luzlAQzf9Es0i0WsbkfZGBFhborFhO+nxNBpSYk8gHPGKJLJcA8dWMHpKfCysvjb Ndoccr8Fx42TYguDUiTH7FgeJtdGIyZd6izZzycd/ho0YrpgHFhxgEftH9dPI/vQ 4/A6C7fhDCcNW84VSpRUjpgFwrZRQiFz9thQwymFcFudz12Ubij7+VkIK9/MPvFR KS55JqXFv2mHwbmaGIxZxbSS/ets/YsTPGFU0sXudu5KhXIutEgEXptIUM0Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1677213362; x=1677299762; bh=e0uthNFxam/yPe3NavAdGgZWgXVp pjgLxybMtvWVhqc=; b=XgrFWHdhItZhtThMf5FjRWQPrTnFen5tVXp6RX2JRiLT xwd4rns0rwzpW5OM55ztFSMnm3666RyZPtlkirWwl+CdRyDVIuxSmyKnpWZJVk6O zDW/gdCie1DysuRr5td1CSEfa8p8rsHDlYqoELMo2UByTln6vQzKAikMlwDauvjN u6Xi5J3XbIlR/Cq0lHHRdhm0bBkpg2n8ID0GtE83BXOw1Db+wx8u4oj+GtpwCed3 1YmsO3J7Sf29Bl7vROMRJ+i9MRD1lG1PvFpwV89dMFDgzUeY3dEoEoPC7NsKF/1z AxXpK3lCp0U1GsiPulz1XRAafp59h7oIJDA+rMxobQ==
X-ME-Sender: <xms:sj74Y8uqBEnSw090sqsLbEeKR5JnPywoZAptvmeUcM7QgQ2-vhfGhw> <xme:sj74Y5c2iQ0fixVu1HaMIlF-KHa0WJBNkmlxYazpvKd3w1bDvtuLKL24DoEvEg2eJ ozk-i6keIYPXaClubU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrudekvddgjedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpefhiedttdeviefhjeejgf evfeeuudfggfekveekheeugeegleevkeevkedthfeuieenucffohhmrghinhepihgvthhf rdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:sj74Y3xADEfCZjmoK4iwamYb3WEj7bhsEKre9NKDioXhTLBVg7E87Q> <xmx:sj74Y_NIWoG2zk26A8a7LmubIhScXO_F_7ccMU8vw7N2a6Lst1Dk8Q> <xmx:sj74Y88lQ2eti_zU3qLQrzGfVBvf5ONL-gjj7AX_ANpxGzGXt5Rgww> <xmx:sj74Y_KDVaBkTOKdS4OFlTQqvex_Ai2nhAVAuMx63w72KabqcI7rnA>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id EFBE5234007B; Thu, 23 Feb 2023 23:36:01 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-172-g9a2dae1853-fm-20230213.001-g9a2dae18
Mime-Version: 1.0
Message-Id: <26c3903b-bc35-40ec-9c33-2c083ed85a1f@betaapp.fastmail.com>
In-Reply-To: <6532E43F-74FD-46B4-8D28-9DB03452A689@mnot.net>
References: <6532E43F-74FD-46B4-8D28-9DB03452A689@mnot.net>
Date: Fri, 24 Feb 2023 15:35:42 +1100
From: Martin Thomson <mt@lowentropy.net>
To: ietf-http-wg@w3.org
Content-Type: text/plain
Received-SPF: pass client-ip=66.111.4.27; envelope-from=mt@lowentropy.net; helo=out3-smtp.messagingengine.com
X-W3C-Hub-DKIM-Status: validation passed: (address=mt@lowentropy.net domain=lowentropy.net), signature is good
X-W3C-Hub-DKIM-Status: validation passed: (address=mt@lowentropy.net domain=messagingengine.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-6.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1pVPod-00CjhQ-4o be2cd0ee1403d7254acba9d238feeb93
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: HTTP Unprompted Authentication
Archived-At: <https://www.w3.org/mid/26c3903b-bc35-40ec-9c33-2c083ed85a1f@betaapp.fastmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/50740
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Tue, Feb 7, 2023, at 16:58, Mark Nottingham wrote:
> This is a Call for Adoption for:
>   https://www.ietf.org/archive/id/draft-schinazi-httpbis-unprompted-auth-01.html
>
> Please indicate (in response to this message) whether you support 
> adoption, and whether you intend to implement.

This is a little late, but I was asked to offer perspective, so...

Mozilla currently has no use case that would need this mechanism, so we can't really be supportive of adoption on that basis.  However, nor do we oppose it.  The design seems fundamentally sound[*], which is important here.

Provided there is adequate support from those who intend to deploy this, then adoption makes sense.  I haven't seen much evidence of that support so far.

Cheers,
Martin

[*] With the usual caveats.  For instance, I think that the bindings are a little loose, but that's small beans and easy to fix.  Some analysis should be undertaken to be more certain about the security properties, but that seems doable.  The draft does not deal with key rotation well (no mechanism needed).  And some of the issues raised in this thread seem like they are worth considering.  All of that is business as usual for an adopted draft, of course.

v2.39.1 | Report a Bug | By Email | System Status