IETF Logo Mail Archive

Re: [Secdispatch] I-D on dealing with the 3xx XOR 401 problem

Nico Williams <nico@cryptonector.com> Tue, 31 March 2020 05:03 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 321043A1B13 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 30 Mar 2020 22:03:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.851
X-Spam-Level:
X-Spam-Status: No, score=-0.851 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ze_kJJVjfdb6 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 30 Mar 2020 22:03:37 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E36483A1B14 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 30 Mar 2020 22:03:36 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jJ90e-0001R9-CQ for ietf-http-wg-dist@listhub.w3.org; Tue, 31 Mar 2020 05:00:20 +0000
Resent-Date: Tue, 31 Mar 2020 05:00:20 +0000
Resent-Message-Id: <E1jJ90e-0001R9-CQ@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <nico@cryptonector.com>) id 1jJ90c-0001QO-1P for ietf-http-wg@listhub.w3.org; Tue, 31 Mar 2020 05:00:18 +0000
Received: from aye.elm.relay.mailchannels.net ([23.83.212.6]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <nico@cryptonector.com>) id 1jJ90Y-0003Js-KV for ietf-http-wg@w3.org; Tue, 31 Mar 2020 05:00:17 +0000
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id A21B5100D13; Tue, 31 Mar 2020 05:00:01 +0000 (UTC)
Received: from pdx1-sub0-mail-a18.g.dreamhost.com (100-96-9-10.trex.outbound.svc.cluster.local [100.96.9.10]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 1581E100880; Tue, 31 Mar 2020 05:00:01 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a18.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.6); Tue, 31 Mar 2020 05:00:01 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Tasty-Descriptive: 00ee9aeb2ef1f99c_1585630801490_1776198837
X-MC-Loop-Signature: 1585630801490:1937684565
X-MC-Ingress-Time: 1585630801489
Received: from pdx1-sub0-mail-a18.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a18.g.dreamhost.com (Postfix) with ESMTP id A534AB26A8; Mon, 30 Mar 2020 22:00:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=HaDnLC1lgnBScE FtrjjXypZY9aw=; b=nBAzay9qPq8b4WrmWNM18HQ3nZZTVWiVGtTyu745t4wkT3 JXKwwcF/EkC13E1CNR1JOIIcQ5Ke1ICGGqq3mKOm00c8r0VU75qMvbu5LKvAOtrc q8GJw1T+tn/B5/dnf/XGd0Ml7emWTta6Np9xtzi1/z1cRGhJWTOqrkMWinoN8=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a18.g.dreamhost.com (Postfix) with ESMTPSA id 6FD91B26A2; Mon, 30 Mar 2020 21:59:57 -0700 (PDT)
Date: Mon, 30 Mar 2020 23:59:54 -0500
X-DH-BACKEND: pdx1-sub0-mail-a18
From: Nico Williams <nico@cryptonector.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: ietf-http-wg@w3.org, secdispatch@ietf.org
Message-ID: <20200331045953.GP18021@localhost>
References: <20200329043333.GO18021@localhost> <20200331020629.GD50174@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20200331020629.GD50174@kduck.mit.edu>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrudeiiedgkeekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucfkphepvdegrddvkedruddtkedrudekfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhm
Received-SPF: pass client-ip=23.83.212.6; envelope-from=nico@cryptonector.com; helo=aye.elm.relay.mailchannels.net
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jJ90Y-0003Js-KV f8974492c3c6febefe305a87622e0843
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [Secdispatch] I-D on dealing with the 3xx XOR 401 problem
Archived-At: <https://www.w3.org/mid/20200331045953.GP18021@localhost>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37489
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Mon, Mar 30, 2020 at 07:06:29PM -0700, Benjamin Kaduk wrote:
> On Sat, Mar 28, 2020 at 11:37:48PM -0500, Nico Williams wrote:
> > This I-D then adds an Accept-Auth request header, and an HTTP
> 
> Interestingly, I was just thinking about whether such an Accept-Auth
> header would be useful in the context of Rick's SASL proposal that was
> presented at SECDISPATCH last week.  Perhaps along with a way for the
> server to annotate that various (e.g., linked) resources will require
> a given authentication mechanism, there might be a route to improving

The server isn't going to want to authenticate the user differently for
different resources -- authorize differently, yes, but probably still
with the same scheme.

> the UX in this space ... though there's a long way for it to go, so I
> don't know that these in and of themselves will make a huge
> difference.

I don't quite follow.  There's lots more work to do about UX?  Sure.
But I know this header will make a huge difference for sites where
there's a mix of Negotiate and Bearer -- it's absolutely essential for
the server to know which (if either, possibly both) are supported.  So
I'd very much like to move forward with registering the header by
requesting Expert Review for it.

What about the Redirect scheme?  Have I missed something important?
That will require IETF Review.  I've added security considerations text
in my GH repo for this, nicowilliams/accept-auth-and-redirect, FYI.

Nico
--

v2.23.0 | Report a Bug | By Email