IETF Logo Mail Archive

Re: HTTP Unprompted Authentication

David Schinazi <dschinazi.ietf@gmail.com> Sat, 04 February 2023 00:32 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 565C7C1575BE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 3 Feb 2023 16:32:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.748
X-Spam-Level:
X-Spam-Status: No, score=-7.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OYM5cLcSBHx8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 3 Feb 2023 16:32:34 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 306E6C151547 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 3 Feb 2023 16:32:33 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1pO6S2-001IrD-4w for ietf-http-wg-dist@listhub.w3.org; Sat, 04 Feb 2023 00:30:42 +0000
Resent-Date: Sat, 04 Feb 2023 00:30:42 +0000
Resent-Message-Id: <E1pO6S2-001IrD-4w@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <dschinazi.ietf@gmail.com>) id 1pO6S0-001IqG-El for ietf-http-wg@listhub.w3.org; Sat, 04 Feb 2023 00:30:41 +0000
Received: from mail-ed1-x534.google.com ([2a00:1450:4864:20::534]) by titan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <dschinazi.ietf@gmail.com>) id 1pO6Rx-009qoB-96 for ietf-http-wg@w3.org; Sat, 04 Feb 2023 00:30:40 +0000
Received: by mail-ed1-x534.google.com with SMTP id ee13so87988edb.5 for <ietf-http-wg@w3.org>; Fri, 03 Feb 2023 16:30:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=dmtp8aQFxVpK15yrBj6EP8b9REXp7rx0SLoFeU5Zjxg=; b=EmrY6YsSAyjmlzVMWCG3NQxCQNjViyIJrqbRaLiHOv+weDLV/8Rzuw91cmLwnUv3m1 QcwLFFLiKfzipXak0c1kajrSoezjpo4pRfEVrtkHhZ3aYa/XODZP6Iz9HH4uJsUIonEm yk7olPIzxvgoaEicy+vu/M+Ps/ZoZD7GMQgd992xmHmDIAd3/FNSsfX9QS7CtFUu0H10 JxvgVXawtj8Tfkfx28cyiNBVtv4WcZIKEX/ClyzXQr2Be1hsQr2KaWn27C7zCZapdBl0 TJIvFdTIxlaWbQU06NvjLuk1YOFtbJ3vqoEks7O92EY4btYWr31tVa5ggSbvvjuuklB0 259Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dmtp8aQFxVpK15yrBj6EP8b9REXp7rx0SLoFeU5Zjxg=; b=haiY2Y9gmereNH0eVka7mYUmLm75zPwXd27E5mRttmIaii1C4tgzLydM31A6gTQgg/ Y/dUNxkTc3zbiKAeafaWT4wD3SZSkPvjt0nKjk9MR+Nii/ZpmK3lcHQnTrTehaIRsuus aZ2pPl5CoWgkn+2vt5NOpKI28PtpNq8oKhERRHfwjQEHjRUlTd0IFC2sV3dd2kVbH4dd MMoTGsplMFNcg4FUYVElutimNRORghZw2h1QJjvrPslHFEkwy5ilRab+gc5VfBG33mHa iGaAIosHWr9P+45wX+woqojCGraDJnQkq8jnKQt/At7q/RDnG++Iv2BTqlsD+2C+5rR5 X/LQ==
X-Gm-Message-State: AO0yUKWkLogXhvr+vsRWpysvDnrGvNv7eDhKZ4ZewGDJWvqJJ5FsEXsi ujWfHD2tCfVa2h7oeb36BYJC47FGch6iHk5OeuEdfFir7ow=
X-Google-Smtp-Source: AK7set+eBou7sxAsaXL6W5jZRYpEHLpJHRA3GLZkNsNWOeu7wSybmFZtlf/Hbz96Mg50b3FSOMUyK+dBUf9RrQbm/zg=
X-Received: by 2002:a50:a41e:0:b0:4aa:9fdd:c036 with SMTP id u30-20020a50a41e000000b004aa9fddc036mr41525edb.32.1675470627539; Fri, 03 Feb 2023 16:30:27 -0800 (PST)
MIME-Version: 1.0
References: <166568682708.62670.1401609977193260774@ietfa.amsl.com> <CAPDSy+4KzCqEg-Nt5geb5n87KbJuD=v8pRpRWTB6NsOwr=Bh5g@mail.gmail.com> <Y0hvwiN0qspglhnq@LK-Perkele-VII2.locald> <CACcvr=kPG=f2PEx4yhhd5dAGEy6uZNOKQBk7v=cjfK8=azB4OA@mail.gmail.com> <CAPDSy+44+1QtOecbtbZPWNoOapBS=g2MOYH+4W5L5KhW0YA4wA@mail.gmail.com>
In-Reply-To: <CAPDSy+44+1QtOecbtbZPWNoOapBS=g2MOYH+4W5L5KhW0YA4wA@mail.gmail.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Fri, 03 Feb 2023 16:30:16 -0800
Message-ID: <CAPDSy+40ymp3Qje9QNhNgNpT-9-0qVqE4zrjQhvmHrsgyS5dog@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: Benjamin Schwartz <ben@bemasc.net>, Tommy Pauly <tpauly@apple.com>, Mark Nottingham <mnot@mnot.net>
Content-Type: multipart/alternative; boundary="000000000000960cc905f3d4e798"
Received-SPF: pass client-ip=2a00:1450:4864:20::534; envelope-from=dschinazi.ietf@gmail.com; helo=mail-ed1-x534.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=dschinazi.ietf@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1pO6Rx-009qoB-96 34a9a57abe975ecdd8b0f1ac2214be28
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP Unprompted Authentication
Archived-At: <https://www.w3.org/mid/CAPDSy+40ymp3Qje9QNhNgNpT-9-0qVqE4zrjQhvmHrsgyS5dog@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/50672
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi HTTP enthusiasts,

When I presented HTTP unprompted authentication at the last IETF,
there appeared to be interest in the room but Ben raised some concerns.
The chairs asked me to resolve those before asking about adoption.
Ben and I met and were able to resolve them by changing the document
to reuse the HTTP Authentication Schemes registry instead of defining
a new one. This change is visible in revision -01:
https://www.ietf.org/archive/id/draft-schinazi-httpbis-unprompted-auth-01.html
and a diff is here:
https://author-tools.ietf.org/iddiff?url2=draft-schinazi-httpbis-unprompted-auth-01

Chairs, I would now like to ask for an adoption call if you think that's a
good idea.

Thanks,
David

On Thu, Oct 13, 2022 at 2:55 PM David Schinazi <dschinazi.ietf@gmail.com>
wrote:

> Thanks Ilari and Nick for the reviews. I agree with your points and think
> we can resolve them in a pretty straightforward way. To make sure we don't
> lose them, I've filed them as individual GitHub issues <
> https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues>.
> We'll look into addressing them once we have a decision from the WG whether
> there is interest in adoption.
>
> David
>
> On Thu, Oct 13, 2022 at 2:44 PM Nick Harper <ietf@nharper.org> wrote:
>
>> I agree with Ilari - do not use the TLS SignatureAlgorithm and
>> HashAlgorithm registries that were orphaned by RFC 8447. For (asymmetric)
>> signatures, you could use the 16-bit TLS SignatureScheme registry (
>> https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme
>> ).
>>
>> The draft is very light on details about where the user's key (private or
>> symmetric) comes from. I assume that key
>> generation/distribution/registration/etc is out of scope for this draft,
>> but the draft should address the security properties expected of said key,
>> e.g. can a key be used for Unprompted Authentication and another use?
>>
>> There's no mention of how a server should process this header and respond
>> to it. Given that the purpose is to be unprobable, the draft should
>> probably say something to the effect of "if a server receives a header it
>> is unable to validate, it should process the request as if the header were
>> not present". The security considerations should also discuss ways that a
>> server might inadvertently reveal that it serves resources protected by
>> this mechanism.
>>
>> On Thu, Oct 13, 2022 at 1:09 PM Ilari Liusvaara <ilariliusvaara@welho.com>
>> wrote:
>>
>>> On Thu, Oct 13, 2022 at 11:58:56AM -0700, David Schinazi wrote:
>>> > Hello HTTP enthusiasts,
>>> >
>>> > ---------- Forwarded message ---------
>>> > Name:           draft-schinazi-httpbis-unprompted-auth
>>> > Revision:       00
>>> > Title:          HTTP Unprompted Authentication
>>> > Document date:  2022-10-13
>>> > Group:          Individual Submission
>>> > Pages:          9
>>> > URL:
>>> >
>>> https://www.ietf.org/archive/id/draft-schinazi-httpbis-unprompted-auth-00.txt
>>>
>>> Some quick comments:
>>>
>>> - I do not see requirement for TLS 1.3 or Extended Master Secret
>>>   anywhere. It is not safe to use TLS Exporters for authentication
>>>   otherwise.
>>>
>>> - There is no requirement to include hash algorithm in signatures.
>>>   There are TLS signature algorithms that mean totally different
>>>   things depending on hash function, and more of those could
>>>   appear in the future. E.g, signatures 7 and 8 already have double
>>>   meaning (EdDSA [hash 8] and some Chinese stuff [hash 7]).
>>>
>>> - The signatures do not appear to be contextualized in any way,
>>>   which is questionable. For example, one could use the same
>>>   contextualization mechanism that TLS 1.3 uses (which prepends
>>>   64 spaces, a context label and NUL [one zero octet]).
>>>
>>>
>>>
>>> -Ilari
>>>
>>>
>>>
>>>
>>>
>>>
>>>

v2.35.0 | Report a Bug | By Email | System Status