IETF Logo Mail Archive

Re: Working Group Last Call: draft-ietf-httpbis-auth-info

Amos Jeffries <squid3@treenet.co.nz> Wed, 11 February 2015 01:41 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BCCB1A1ADB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 10 Feb 2015 17:41:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jJXZ900_lTNe for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 10 Feb 2015 17:41:01 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E402E1A1A20 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 10 Feb 2015 17:41:00 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YLMFo-0005AK-Gp for ietf-http-wg-dist@listhub.w3.org; Wed, 11 Feb 2015 01:38:12 +0000
Resent-Date: Wed, 11 Feb 2015 01:38:12 +0000
Resent-Message-Id: <E1YLMFo-0005AK-Gp@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <squid3@treenet.co.nz>) id 1YLMFj-00059d-0y for ietf-http-wg@listhub.w3.org; Wed, 11 Feb 2015 01:38:07 +0000
Received: from 121-99-228-82.static.orcon.net.nz ([121.99.228.82] helo=treenet.co.nz) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <squid3@treenet.co.nz>) id 1YLMFh-0001Wn-9i for ietf-http-wg@w3.org; Wed, 11 Feb 2015 01:38:06 +0000
Received: from [192.168.2.6] (121-98-145-59.bng1.mdr.orcon.net.nz [121.98.145.59]) by treenet.co.nz (Postfix) with ESMTP id 6DF40E6FA6 for <ietf-http-wg@w3.org>; Wed, 11 Feb 2015 14:37:33 +1300 (NZDT)
Message-ID: <54DAB257.5000203@treenet.co.nz>
Date: Wed, 11 Feb 2015 14:37:27 +1300
From: Amos Jeffries <squid3@treenet.co.nz>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: ietf-http-wg@w3.org
References: <0E4872BF-EBCB-42C0-9BF9-8BC179C1BDDA@mnot.net>
In-Reply-To: <0E4872BF-EBCB-42C0-9BF9-8BC179C1BDDA@mnot.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=121.99.228.82; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-2.4
X-W3C-Hub-Spam-Report: AWL=-2.362, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TVD_RCVD_IP=0.001, URIBL_BLOCKED=0.001
X-W3C-Scan-Sig: lisa.w3.org 1YLMFh-0001Wn-9i 1ffeb70376471711d88a7d3d2256f713
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Working Group Last Call: draft-ietf-httpbis-auth-info
Archived-At: <http://www.w3.org/mid/54DAB257.5000203@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/28805
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 11/02/2015 11:59 a.m., Mark Nottingham wrote:
> Everyone,
> 
> Julian believes (with his editor hat on) that this is ready. As discussed, this is a simple document to pull the Authentication-Info and Proxy-Authentication-Info header fields out of 2617, so that they’re not associated with a particular authentication scheme (thereby avoiding lots of scheme-specific headers).
> 
> Therefore, this is the announcement of WGLC for: 
>  https://tools.ietf.org/html/draft-ietf-httpbis-auth-info-02
> 
> Please review the document carefully, and comment on this list.
> 


Section 3 paragraph 3 says "
 Intermediaries are not allowed to modify the field value in any way.
"

RFC 7235 uses wording in the form:
  A proxy forwarding ... MUST NOT modify ...

I believe the Authentication-Info should share both normative MUST NOT,
and term "proxy" instead of intermediary. Since there are legitimate
cases where gateways and/or other intermediaries may need to change it
per the relevant auth scheme.



Section 4 uses the term "proxy authentication" referencing RFC 7235.

In RFC 7235 there is no definition, and only a vague implied explanation
of that term via explaining what the 407 status means.

I believe the text in section 4 should be re-written to match the
per-header descriptions found in RFC 7235 sectio 4.3/4.3 paragraph 2.
With mention specifically about how it differs from Authentication-Info
by being hop-by-hop.



Under security considerations I believe it would be good to mention that
recipients of the Authentication-Info header in any response should
(ought to or SHOULD?) treat the transaction as if it were authenticated
even if the RFC7235 headers are not present.
 Some of the use-cases I see for this header include out-of-band
authentication. If the server is treating the reply as authenticated it
may inadvertently include private information in the payload or other
headers.



Also, Yutaka brought up the issue of association between selected scheme
and Authentication-Info contents. I believe this document is the right
place to reserve a parameter scheme= which takes the auth-scheme as its
value for the purpose in the same way RFC 7235 reserves the realm=
parameter for use across schemes.


Amos

v2.39.1 | Report a Bug | By Email | System Status