Re: [Secdispatch] I-D on dealing with the 3xx XOR 401 problem

Nico Williams <> Tue, 31 March 2020 05:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 321043A1B13 for <>; Mon, 30 Mar 2020 22:03:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.851
X-Spam-Status: No, score=-0.851 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ze_kJJVjfdb6 for <>; Mon, 30 Mar 2020 22:03:37 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E36483A1B14 for <>; Mon, 30 Mar 2020 22:03:36 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jJ90e-0001R9-CQ for; Tue, 31 Mar 2020 05:00:20 +0000
Resent-Date: Tue, 31 Mar 2020 05:00:20 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jJ90c-0001QO-1P for; Tue, 31 Mar 2020 05:00:18 +0000
Received: from ([]) by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jJ90Y-0003Js-KV for; Tue, 31 Mar 2020 05:00:17 +0000
X-Sender-Id: dreamhost|x-authsender|
Received: from (localhost []) by (Postfix) with ESMTP id A21B5100D13; Tue, 31 Mar 2020 05:00:01 +0000 (UTC)
Received: from (100-96-9-10.trex.outbound.svc.cluster.local []) (Authenticated sender: dreamhost) by (Postfix) with ESMTPA id 1581E100880; Tue, 31 Mar 2020 05:00:01 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by (trex/5.18.6); Tue, 31 Mar 2020 05:00:01 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|
X-MailChannels-Auth-Id: dreamhost
X-Tasty-Descriptive: 00ee9aeb2ef1f99c_1585630801490_1776198837
X-MC-Loop-Signature: 1585630801490:1937684565
X-MC-Ingress-Time: 1585630801489
Received: from (localhost []) by (Postfix) with ESMTP id A534AB26A8; Mon, 30 Mar 2020 22:00:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=HaDnLC1lgnBScE FtrjjXypZY9aw=; b=nBAzay9qPq8b4WrmWNM18HQ3nZZTVWiVGtTyu745t4wkT3 JXKwwcF/EkC13E1CNR1JOIIcQ5Ke1ICGGqq3mKOm00c8r0VU75qMvbu5LKvAOtrc q8GJw1T+tn/B5/dnf/XGd0Ml7emWTta6Np9xtzi1/z1cRGhJWTOqrkMWinoN8=
Received: from localhost (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 6FD91B26A2; Mon, 30 Mar 2020 21:59:57 -0700 (PDT)
Date: Mon, 30 Mar 2020 23:59:54 -0500
X-DH-BACKEND: pdx1-sub0-mail-a18
From: Nico Williams <>
To: Benjamin Kaduk <>
Message-ID: <20200331045953.GP18021@localhost>
References: <20200329043333.GO18021@localhost> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrudeiiedgkeekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucfkphepvdegrddvkedruddtkedrudekfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhm
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1jJ90Y-0003Js-KV f8974492c3c6febefe305a87622e0843
Subject: Re: [Secdispatch] I-D on dealing with the 3xx XOR 401 problem
Archived-At: <>
X-Mailing-List: <> archive/latest/37489
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On Mon, Mar 30, 2020 at 07:06:29PM -0700, Benjamin Kaduk wrote:
> On Sat, Mar 28, 2020 at 11:37:48PM -0500, Nico Williams wrote:
> > This I-D then adds an Accept-Auth request header, and an HTTP
> Interestingly, I was just thinking about whether such an Accept-Auth
> header would be useful in the context of Rick's SASL proposal that was
> presented at SECDISPATCH last week.  Perhaps along with a way for the
> server to annotate that various (e.g., linked) resources will require
> a given authentication mechanism, there might be a route to improving

The server isn't going to want to authenticate the user differently for
different resources -- authorize differently, yes, but probably still
with the same scheme.

> the UX in this space ... though there's a long way for it to go, so I
> don't know that these in and of themselves will make a huge
> difference.

I don't quite follow.  There's lots more work to do about UX?  Sure.
But I know this header will make a huge difference for sites where
there's a mix of Negotiate and Bearer -- it's absolutely essential for
the server to know which (if either, possibly both) are supported.  So
I'd very much like to move forward with registering the header by
requesting Expert Review for it.

What about the Redirect scheme?  Have I missed something important?
That will require IETF Review.  I've added security considerations text
in my GH repo for this, nicowilliams/accept-auth-and-redirect, FYI.