Re: Working Group Last Call: draft-ietf-httpbis-auth-info
Julian Reschke <julian.reschke@gmx.de> Sun, 01 March 2015 21:49 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 127781A037C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 1 Mar 2015 13:49:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dkJmXoSyYZq1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 1 Mar 2015 13:49:32 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 604C31A1BCD for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 1 Mar 2015 13:49:32 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YSBg5-0006Dy-T8 for ietf-http-wg-dist@listhub.w3.org; Sun, 01 Mar 2015 21:45:33 +0000
Resent-Date: Sun, 01 Mar 2015 21:45:33 +0000
Resent-Message-Id: <E1YSBg5-0006Dy-T8@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <julian.reschke@gmx.de>) id 1YSBfz-0006As-8E for ietf-http-wg@listhub.w3.org; Sun, 01 Mar 2015 21:45:27 +0000
Received: from mout.gmx.net ([212.227.17.20]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1YSBfx-0000T4-MG for ietf-http-wg@w3.org; Sun, 01 Mar 2015 21:45:27 +0000
Received: from [192.168.2.175] ([84.187.33.170]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MGzwE-1YEUYW0JvO-00DnUJ; Sun, 01 Mar 2015 22:44:54 +0100
Message-ID: <54F38855.7030306@gmx.de>
Date: Sun, 01 Mar 2015 22:44:53 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: ietf-http-wg@w3.org
CC: Amos Jeffries <squid3@treenet.co.nz>
References: <0E4872BF-EBCB-42C0-9BF9-8BC179C1BDDA@mnot.net> <54DAB257.5000203@treenet.co.nz> <54DB1630.3040306@gmx.de> <54DB2A89.2010001@treenet.co.nz>
In-Reply-To: <54DB2A89.2010001@treenet.co.nz>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:RSFzpiAm5LJ3wS3qCjYp5nlQW6GmZUR8C7Z2sXSe7Wm3KQE0gxw 8Ig1e2OjOJGY2KBAx6h4f8NkggDc+yh4DHWN+pNMESOYE8k2DD997UQXjUOHGyQLR3BtUv8 IlLFW2W5PvCg4eXZuJkcSUFOrdeP7PamMbE7lgdy2hLmOaFv40uWaUyYcDxb4qjq6FNyHQs YeAmdNo03eI6cSW6e502w==
X-UI-Out-Filterresults: notjunk:1;
Received-SPF: pass client-ip=212.227.17.20; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-Spam-Status: No, score=-4.2
X-W3C-Hub-Spam-Report: AWL=-2.261, BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001
X-W3C-Scan-Sig: maggie.w3.org 1YSBfx-0000T4-MG 2955e04cd6183aebc952dee61495d48b
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Working Group Last Call: draft-ietf-httpbis-auth-info
Archived-At: <http://www.w3.org/mid/54F38855.7030306@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/28873
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 2015-02-11 11:10, Amos Jeffries wrote: > ... >>> Section 4 uses the term "proxy authentication" referencing RFC 7235. >>> >>> In RFC 7235 there is no definition, and only a vague implied explanation >>> of that term via explaining what the 407 status means. >> >> That's a problem of RFC 7235. This spec would be the wrong place to >> address this. >> >> I think proposed text for rfc7235bis would be great. >> >>> I believe the text in section 4 should be re-written to match the >>> per-header descriptions found in RFC 7235 sectio 4.3/4.3 paragraph 2. >> >> Not sure how that would improve things. >> >>> With mention specifically about how it differs from Authentication-Info >>> by being hop-by-hop. >> >> Hmm, why is it hop-by-hop? > > > First Proxy-Auth* are explicitly hop-by-hop. This not being so violates > the principle of least surprise. > > It would leak the proxies network credentials related data to the client. > > With result such as; In a proxy chain of A<-B<-C<-D<-E with different > authentications happening in the hop D->C and the hop C->B. If the > header was treated as end-to-end D would be participating in the B->C > authentication. > ... Now tracked as <https://github.com/httpwg/http-extensions/issues/51>. Would it be sufficient to steal from <http://greenbytes.de/tech/webdav/rfc7235.html#rfc.section.4.3.p.2>: "Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the next outbound client on the response chain. This is because only the client that chose a given proxy is likely to have the credentials necessary for authentication. However, when multiple proxies are used within the same administrative domain, such as office and regional caching proxies within a large corporate network, it is common for credentials to be generated by the user agent and passed through the hierarchy until consumed. Hence, in such a configuration, it will appear as if Proxy-Authenticate is being forwarded because each proxy will send the same challenge set." rewriting it to: "However, unlike Authentication-Info, the Proxy-Authentication-Info header field applies only to the next outbound client on the response chain. This is because only the client that chose a given proxy is likely to have the credentials necessary for authentication. However, when multiple proxies are used within the same administrative domain, such as office and regional caching proxies within a large corporate network, it is common for credentials to be generated by the user agent and passed through the hierarchy until consumed. Hence, in such a configuration, it will appear as if Proxy-Authentication-Info is being forwarded because each proxy will send the same challenge set." ? Best regards, Julian
- Working Group Last Call: draft-ietf-httpbis-auth-… Mark Nottingham
- Re: Working Group Last Call: draft-ietf-httpbis-a… Bjoern Hoehrmann
- Re: Working Group Last Call: draft-ietf-httpbis-a… Amos Jeffries
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Amos Jeffries
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Amos Jeffries
- Re: Working Group Last Call: draft-ietf-httpbis-a… Yutaka OIWA
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Hervé Ruellan
- Re: Working Group Last Call: draft-ietf-httpbis-a… Mark Nottingham
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Mark Nottingham
- Re: Working Group Last Call: draft-ietf-httpbis-a… Yutaka OIWA
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Amos Jeffries
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Amos Jeffries
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke