IETF Logo Mail Archive

Re: WWW-Authenticate proposal: timeout flag

Rafal Pietrak <cookie.rp@ztk-rp.eu> Sat, 08 May 2021 09:44 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D5BF3A4624 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 8 May 2021 02:44:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.472
X-Spam-Level:
X-Spam-Status: No, score=-2.472 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=ztk-rp.eu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DniuqpyviuCh for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 8 May 2021 02:44:07 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2C843A4622 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 8 May 2021 02:44:07 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1lfJSu-0002xk-0U for ietf-http-wg-dist@listhub.w3.org; Sat, 08 May 2021 09:41:40 +0000
Resent-Date: Sat, 08 May 2021 09:41:40 +0000
Resent-Message-Id: <E1lfJSu-0002xk-0U@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <cookie.rp@ztk-rp.eu>) id 1lfJSr-0002wt-OP for ietf-http-wg@listhub.w3.org; Sat, 08 May 2021 09:41:37 +0000
Received: from hax2-04.wsisiz.edu.pl ([213.135.44.188] helo=zorro.ztk-rp.eu) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <cookie.rp@ztk-rp.eu>) id 1lfJSo-0007QO-Ta for ietf-http-wg@w3.org; Sat, 08 May 2021 09:41:37 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ztk-rp.eu; s=2024; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To: MIME-Version:Date:Message-ID:References:Cc:To:From:Sender:Reply-To:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=7LoPveYWF6U+P8NWKtDA+HAzuPuzrQfJzuDFSuxMdw4=; b=K7VM1OzKkXVw7e1hSJIFILjRQK 1uzw4pYTZSel/AY2+vyz30GF8gX09fb1Gj+NqlRpPM+ke+X38KiptQQwVrv7b9j/A02nmxL9HKK0u vMSzUsGMyR2yTug+CBSeCS57nBDc4/UGdpgWpANO8SATN0q9MKPdwGiMyl4qIChufnrE=;
Received: from [192.168.1.77] (port=60202) by zorro.ztk-rp.eu with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <cookie.rp@ztk-rp.eu>) id 1lfJSW-002YOR-C3; Sat, 08 May 2021 11:41:18 +0200
From: Rafal Pietrak <cookie.rp@ztk-rp.eu>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
References: <11cedf9c-add4-d38c-8761-2ad4498caa47@gmail.com> <nycvar.QRO.7.76.2104292237510.30150@fvyyl> <e1f38a82-fc43-f420-63fa-68604721d536@gmail.com> <b49b4943-0e12-b219-46b7-9988b3d3311f@ztk-rp.eu> <CADYDTCDEiDfGBWWC=64wnNH=U7=FaNk5d8uEuB2daZGGWDvBFg@mail.gmail.com> <ade022cc-81e3-a4f3-542f-8050a5274b5e@ztk-rp.eu>
Message-ID: <74206436-4db7-9496-3b28-5cbafe40b1a7@ztk-rp.eu>
Date: Sat, 08 May 2021 11:41:14 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <ade022cc-81e3-a4f3-542f-8050a5274b5e@ztk-rp.eu>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 192.168.1.77
X-SA-Exim-Mail-From: cookie.rp@ztk-rp.eu
X-SA-Exim-Version: 4.2.1 (built Sat, 13 Feb 2021 17:57:42 +0000)
X-SA-Exim-Scanned: Yes (on zorro.ztk-rp.eu)
Received-SPF: pass client-ip=213.135.44.188; envelope-from=cookie.rp@ztk-rp.eu; helo=zorro.ztk-rp.eu
X-W3C-Hub-DKIM-Status: validation passed: (address=cookie.rp@ztk-rp.eu domain=ztk-rp.eu), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1lfJSo-0007QO-Ta 052640a647cd872f5d7aed69ecc3906a
X-Original-To: ietf-http-wg@w3.org
Subject: Re: WWW-Authenticate proposal: timeout flag
Archived-At: <https://www.w3.org/mid/74206436-4db7-9496-3b28-5cbafe40b1a7@ztk-rp.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38784
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hello everybody,

Thank you again for you time spent on reviewing my original submission.

I've just made new revision of my I-D, based on that review. It is now
available at: https://datatracker.ietf.org/doc/draft-pietrak-cookie-scope/

Like last time, I'll be very grateful if someone can have a look and
comment on it's viability and usefulness.

With best regards,

Rafał Pietrak

W dniu 30.04.2021 o 20:12, Rafal Pietrak pisze:
> Hell,
> 
> Thank your for the review.
> 
> Before I'd address your comments, I'd say, that:
> 
> 1. I'm opened to any suggestions and I'd like to forge the proposal as
> useful (for the purpose intended) and possible - even when a complete
> rewrite would be necessary.
> 
> 2. The intention is to allow for multiple security www contexts being
> available for a user at his/her web-browser. .... and that not at the
> URL level.
> 
> W dniu 30.04.2021 o 18:00, Daniel Veditz pisze:
>> One thing that jumped out at me was the Viewport visibility overriding
>> the specified Domain. Don't do that! Either make setting a too-broad
> 
> OK.
> 
> As you can imagine, my intention was to close any possible leakage of
> cooqies with security tokens.
> 
> But, would you think that stating that: "any Viewport element with
> 'domain' different then domain of the cookie with radius attribute set
> MUST by omitted from 'fetch-list'"? (the "fetch-list" to be defined as
> all the "remote" elements of document in viewport).
> 
>> domain an error and reject the cookie (as we did with __Host- prefixed
>> cookies), or accept that the server knows what it's doing and honor the
>> domain. If, as a web author, you restrict cookies to a viewport you
>> still might have all kinds of sub-resource requests from sibling origins
>> in the same domain. Why break that?
> 
> I don't think my proposal would break anything. I think, that a web
> author, with *new* tool to setup a security-session of his/her web-page
> can conform to any well defined standard.
> 
> On the other hand, I tried to think of any way, the new attribute could
> possibly break current services, and I think I've eliminated all of
> them. If not I'd prefer to modify the proposal around the other
> (WORLD/WINDOW) values to have them guarantee undisturbed work in today's
> use scenario.
> 
> So, I'd rather opt for the requirement, that all who'd like to use the
> new attribute for session logging SHOULD restrict all subresources to
> the domain of the session cookie with viewport radius. ... then loosen
> constraints and exorcise some unforeseen security holes.
> 
> Naturally, I may be too cautious. May be this requires some more examples??
> 
>>
>> It's the "Secure" attribute, not "SecureOnly"
> 
> Right. :)
> 
>>
>> 4 different visibility levels sounds like a PITA to implement, or even
>> define. If a site is using "Tabs" visibility and they do a
> 
> I think, inclusion of examples in the document could clearify the specs.
> I will do that in next revision.
> 
>> window.open(<same-origin>), does it have the same cookies or not? That
> 
> window.open(same_origin) should work (with current proposal). It goes
> into the same origin as defined in cookie in question, so cookie should
> be delivered to the server as expected, and all should work be fine.
> 
>> used to be a popup, so new window == no cookies. In the last decade o> so browsers (only one kind of user agent) have converged on having that
>> be a new tab in the same window (has cookies). If the author specifies
>> size attributes then it's back to a separate window (no cookies). But
> 
> I this case my intention would be to popup the window *without* viewport
> cookie. Consequently, popups wouldn't work with "tight cookie security".
> For a web designer, there are two workarounds:
> 1. put credentials into URL of the popup.
> 2. use modal-pane within the original viewport.
> 
> Both workarounds are "simple", and I believe cover vast majority of use
> cases.
> 
>> that's not part of the HTML specifications, it's just conventions that
>> User Agents have adopted. It would be better to define a cookie spec
>> based on concepts that are specified somewhere and aren't just
>> conventions. You need to come up with some compelling reasons for why
>> each of the levels is necessary and when it would be useful.
> 
> OK. I'll do the in next release.
> 
>>
>> Please restrict this to "session" cookies (no set expiration time). I
>> don't know how I'd store a "Viewport" cookie (on disk, between browser
>> runs if it has a long expiration) that makes sense after you close that
>> one viewport. Or tab, or window.
> 
> OK. Very good point, I didn't thought of that.
> 
>>
>> Would your use-cases be served by the HTML "sessionStorage" feature?
>> It's not sent in HTTP requests so it's definitely not the same, but that
>> is explicitly scoped to the current document and not shared with other
>> documents of the same origin (similar to your Viewport, but excludes
>> same-origin frames).
> 
> No, it wouldn't. The goal is to replace "security-tokens" today
> maintained within URL of the page. That (current - to be obsoleted)
> method allows for web-links (the "a href=") on such page to be correctly
> executed by browsers even without JavaScript. This is very desirable.
> 
> On the other hand, security Tokens kept in sessionStore have to be
> retrieved, and put into the GET headers by a script. This is
> undesirable. Security cookies would most likely be httpOnly, and in such
> case that would be just impossible.
> 
> I hope this explanation make sense. But pls comment if you don't agree.
> 
> BR
> 
> -Rafał
> 
>>
>> -Dan Veditz
>>
>> On Fri, Apr 30, 2021 at 4:37 AM Rafal Pietrak <cookie.rp@ztk-rp.eu
>> <mailto:cookie.rp@ztk-rp.eu>> wrote:
>>
>>     Hi everyone,
>>
>>     W dniu 29.04.2021 o 22:50, Soni L. pisze:
>>     >
>>     >
>>     > On 2021-04-29 5:42 p.m., Daniel Stenberg wrote:
>>     >> On Thu, 29 Apr 2021, Soni L. wrote:
>>     >>
>>     >>> We'd like to be able to specify a timeout value for
>>     WWW-Authenticate,
>>     >>> in particular `timeout=0` so the HTTP authentication can be
>>     converted
>>     >>> into session cookies rather than sending the password in plaintext
>>     >>> (sure, it gets sent over TLS, but that doesn't matter) on every
>>     >>> request. Would anyone be interested in such proposal?
>>     >>
>>     >> What should happen when the time runs out? Is that just an ask to the
>>     >> client that it should drop the auth status at that point?
>>     >>
>>     >> I don't think this is enough to make people stop using cookies for
>>     >> logged in session status even if you would get someone to adopt.
>>     >>
>>     >
>>     > It's to stop using forms, not cookies. Cookies are more secure because
>>     > they don't keep re-sending the password such that a malicious or
>>     > compromised server could exfiltrate the plaintext. Using cookies for
>>     > logged in session status is a good thing.
>>     >
>>
>>     Still, cookies have their problems.
>>
>>     Would somebody be so kind and have a look at my proposal regarding
>>     cookies at:
>>     https://datatracker.ietf.org/doc/draft-pietrak-cookie-scope/
>>     <https://datatracker.ietf.org/doc/draft-pietrak-cookie-scope/>
>>
>>     ... and naturally give it a comment or two :)
>>
>>     Best regards,
>>
>>     -R
>>     -- 
>>     Rafał Pietrak
>>
> 

-- 
Rafał Pietrak

v2.23.0 | Report a Bug | By Email