Re: [Secdispatch] I-D on dealing with the 3xx XOR 401 problem

Nico Williams <> Tue, 31 March 2020 05:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 47A2F3A1BBB for <>; Mon, 30 Mar 2020 22:54:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.851
X-Spam-Status: No, score=-0.851 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EoLrU1A2wAJE for <>; Mon, 30 Mar 2020 22:54:35 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F40F43A1BBA for <>; Mon, 30 Mar 2020 22:54:34 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jJ9o0-0007Vg-2M for; Tue, 31 Mar 2020 05:51:21 +0000
Resent-Date: Tue, 31 Mar 2020 05:51:20 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jJ9nv-0007Uv-MR for; Tue, 31 Mar 2020 05:51:15 +0000
Received: from ([]) by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jJ9ns-0004iC-MT for; Tue, 31 Mar 2020 05:51:15 +0000
X-Sender-Id: dreamhost|x-authsender|
Received: from (localhost []) by (Postfix) with ESMTP id 389001006B4; Tue, 31 Mar 2020 05:51:00 +0000 (UTC)
Received: from (100-96-12-20.trex.outbound.svc.cluster.local []) (Authenticated sender: dreamhost) by (Postfix) with ESMTPA id AE05D100855; Tue, 31 Mar 2020 05:50:59 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by (trex/5.18.6); Tue, 31 Mar 2020 05:51:00 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|
X-MailChannels-Auth-Id: dreamhost
X-Invention-Thread: 45385e151954189e_1585633859981_3342648246
X-MC-Loop-Signature: 1585633859980:2500628170
X-MC-Ingress-Time: 1585633859980
Received: from (localhost []) by (Postfix) with ESMTP id 71B31B26B2; Mon, 30 Mar 2020 22:50:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=JpfdRNB65hMvWF vzGTnrbDejUzI=; b=hUlrdilRPvftVdRYCu9hm5PO0yzvMDRDq2puRp7f8Xi9yp jEpFg4dezD6pdGL2qYF+RyaDpeHMmLJQAQg1afLhT9TDuYEjWwVRhftbl7oL5TKU 9h8FRRV6fDN1naJraPf8itsZSDnsrvmRSN/ATRt3bG9/OO26jmFEnGsIqb34Q=
Received: from localhost (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id C4E40B26AC; Mon, 30 Mar 2020 22:50:57 -0700 (PDT)
Date: Tue, 31 Mar 2020 00:50:55 -0500
X-DH-BACKEND: pdx1-sub0-mail-a18
From: Nico Williams <>
To: Benjamin Kaduk <>
Message-ID: <20200331055054.GQ18021@localhost>
References: <20200329043333.GO18021@localhost> <> <20200331045953.GP18021@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20200331045953.GP18021@localhost>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrudeiiedgleelucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucfkphepvdegrddvkedruddtkedrudekfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhm
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1jJ9ns-0004iC-MT 587c50364ff98f00836d33a01a934233
Subject: Re: [Secdispatch] I-D on dealing with the 3xx XOR 401 problem
Archived-At: <>
X-Mailing-List: <> archive/latest/37490
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On Mon, Mar 30, 2020 at 11:59:54PM -0500, Nico Williams wrote:
> On Mon, Mar 30, 2020 at 07:06:29PM -0700, Benjamin Kaduk wrote:
> ...
> What about the Redirect scheme?  Have I missed something important?
> That will require IETF Review.  I've added security considerations text
> in my GH repo for this, nicowilliams/accept-auth-and-redirect, FYI.

One thought that occurs is that the Authorization header should only be
preserved from the last redirect: the one back to the original origin.
And a new header could be preserved in all the other hops to enable
communication between the origin and the auth services via the

This way there would be no way for an origin to confuse an auth service
via an Authorization header.  After all, that's for the user-agent to
authenticate to the auth service.  We shouldn't give the Authorization
header two different uses.

On the last redirect, however, we really should want to preserve the
Authorization header, as it will -presumably- be authenticating the user
to the relying party with a token issued by the last hop.