IETF Logo Mail Archive

Re: HTTP Unprompted Authentication

Ben Schwartz <bemasc@google.com> Tue, 18 October 2022 16:19 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6009EC14CE2F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 18 Oct 2022 09:19:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.259
X-Spam-Level:
X-Spam-Status: No, score=-15.259 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w3nwEkQwTisC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 18 Oct 2022 09:19:18 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72FDEC14F73F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 18 Oct 2022 09:19:18 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1okpIO-000vcJ-Re for ietf-http-wg-dist@listhub.w3.org; Tue, 18 Oct 2022 16:18:24 +0000
Resent-Date: Tue, 18 Oct 2022 16:18:24 +0000
Resent-Message-Id: <E1okpIO-000vcJ-Re@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <bemasc@google.com>) id 1okpIN-000vb1-4I for ietf-http-wg@listhub.w3.org; Tue, 18 Oct 2022 16:18:23 +0000
Received: from mail-vs1-xe2e.google.com ([2607:f8b0:4864:20::e2e]) by titan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <bemasc@google.com>) id 1okpIL-00F8lj-Ir for ietf-http-wg@w3.org; Tue, 18 Oct 2022 16:18:22 +0000
Received: by mail-vs1-xe2e.google.com with SMTP id 63so15250599vse.2 for <ietf-http-wg@w3.org>; Tue, 18 Oct 2022 09:18:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=acOREiwrJMZ2AKEit8lM+I3hyjC8zR5EouLKyghrsUU=; b=rHJXJYciLE5ZmzaZCw7anpAfoaGDKuZcSZDsta3lDwwqXcSO2gplcs23V0bsfVAv/4 eo8K8l1+v23sqMnheAqc6SYmeyGenhGqI1oY6URV+7gGvGLfZ0QvIk+fuXYrjyt4a/QM P7DZ5Oyb0QcsUO9UWrVBLeWGWEovP7DCpBmFoSWwzeiAmaZvW/mhmWdOTZJy35lPQklu ok4WO0uzxXuxG5rZJYSvMTvCpJFmn4HfIfLhMLFamslOPVCaJ5LolalOqvb/8h1H38kF uyZ31Yi3SDhKTKr9qtdB1t+uOrpGQHM7w2eGZZ601tu080V8Kopx+z9dmKTNP1qoBd7u 6eqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=acOREiwrJMZ2AKEit8lM+I3hyjC8zR5EouLKyghrsUU=; b=fdRVGK+PGasXYVQYsjBJR29wtq2iexT3TeseX6RpXzk88TP66xowzYCBPKgVVUi5NJ LHJKTxq7tB/6TNNF4VHcxCzWWar+8YMGyjtY3Ea67P9jfwavMJVi63nYUhrJoGN8OVY+ pG1Xu4t97QDrQzgkFseiWSUfJVazCb7h4N5CIzrjwmQSUaiwtHiOJjPetCkarUJjwkCU 0kaQWMFmuFbngpglwuQm2KwZ5gLYQNCd6OjG8pr9OPfquE4CaQqD7mlS4q37XVU20kr2 n6Kfha/q43NMDSUC4GxN132Y80jrpFV/+Tu9fOUz2eQkkeOtGG5rSK8i9JLlUVlY9eKu hDNg==
X-Gm-Message-State: ACrzQf0u198ZVrNqzY7yFOgzvMqucbxAWWPo/+wjBwuc2SDUYTuCjyK4 eaJmBZo2Zse1/dk4JVnp+KxOZ92RwW1KGJqarm2YfdgFDAmtUeIG
X-Google-Smtp-Source: AMsMyM6VNIwUvgVcGdsdYKXoVdDvQEhiDd+fVCzDxjbibRtjG7OvcOrKj2e9+nwkfWcMFszn04mWt6HwhtPhHssHKgk=
X-Received: by 2002:a67:b74a:0:b0:399:4161:9f94 with SMTP id l10-20020a67b74a000000b0039941619f94mr1798395vsh.1.1666109890278; Tue, 18 Oct 2022 09:18:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbrMsCWsLsaNXi4J+DbOvpvjxx8m11F0NpgEeZUY34n89hYtQ@mail.gmail.com> <CAJ_4DfRNCUFcz8kD557kN5aoENyzRS=FPsgVO7tc6YcqHK7-bQ@mail.gmail.com>
In-Reply-To: <CAJ_4DfRNCUFcz8kD557kN5aoENyzRS=FPsgVO7tc6YcqHK7-bQ@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 18 Oct 2022 12:17:58 -0400
Message-ID: <CAHbrMsDgAxqm+iGm0-3rd050OmbiwBS0LY0M41Wi8dwqvAZ+tA@mail.gmail.com>
To: Ryan Hamilton <rch@google.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000034c50405eb517096"
Received-SPF: pass client-ip=2607:f8b0:4864:20::e2e; envelope-from=bemasc@google.com; helo=mail-vs1-xe2e.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=bemasc@google.com domain=google.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-21.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1okpIL-00F8lj-Ir 253ff10b34b538ab02c7c792c1c00de0
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP Unprompted Authentication
Archived-At: <https://www.w3.org/mid/CAHbrMsDgAxqm+iGm0-3rd050OmbiwBS0LY0M41Wi8dwqvAZ+tA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40464
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Thanks, the link got mangled.  I meant
https://datatracker.ietf.org/doc/draft-schwartz-modern-http-proxies/

On Tue, Oct 18, 2022 at 12:16 PM Ryan Hamilton <rch@google.com> wrote:

> I think [1] should perhaps be
> https://www.ietf.org/id/draft-schwartz-modern-http-proxies-00.html?
>
> On Tue, Oct 18, 2022 at 9:14 AM Ben Schwartz <bemasc@google.com> wrote:
>
>> I support the goals of the Unprompted Authentication draft.  In fact, I'm
>> so supportive that I recently posted a draft that happens to solve an
>> overlapping problem in a very different way: "Modernizing HTTP Forward
>> Proxy Functionality" [1].
>>
>> To step back: confidential HTTP _resources_ are arguably a solved
>> problem.  We can simply place the resource at an unguessable path (e.g.
>> "capability URLs" [2]).  The problem mentioned by this draft occurs when
>> the HTTP service is origin-scoped (e.g. it is not a resource).  The only
>> non-resource HTTP service that I'm aware of is forward proxy
>> functionality.  Thus, one way to improve confidentiality of proxies is to
>> make them path-scoped, and this is what the "Modernizing" draft does.
>>
>> These proposals are not mutually exclusive.  Path-scoped proxies have
>> other benefits, and unprompted authentication could be useful for other
>> services with inflexible paths (e.g. .well-known/ resources).  However,
>> given the overlapping use cases, these drafts should probably be discussed
>> together.
>>
>> --Ben
>>
>> [1]
>> https://datatracker.ietf.org/doc/draft-schwartz-modern-http-proxies/Modernizing
>> HTTP Forward Proxy Functionality
>> [2] https://www.w3.org/TR/capability-urls/
>>
>

v2.23.0 | Report a Bug | By Email