HTTP Authentication with SASL
Rick van Rein <rick@openfortress.nl> Fri, 14 October 2022 15:49 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AEDBC14CE25 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 14 Oct 2022 08:49:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.66
X-Spam-Level:
X-Spam-Status: No, score=-7.66 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kpnmail.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HRN8Wsp08RfB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 14 Oct 2022 08:49:29 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F15E8C14CE31 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 14 Oct 2022 08:49:29 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ojMtE-007xC9-KR for ietf-http-wg-dist@listhub.w3.org; Fri, 14 Oct 2022 15:46:24 +0000
Resent-Date: Fri, 14 Oct 2022 15:46:24 +0000
Resent-Message-Id: <E1ojMtE-007xC9-KR@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <vanrein@vanrein.org>) id 1ojMtC-007xB0-I6 for ietf-http-wg@listhub.w3.org; Fri, 14 Oct 2022 15:46:22 +0000
Received: from ewsoutbound.kpnmail.nl ([195.121.94.168]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <vanrein@vanrein.org>) id 1ojMt9-00D2hG-2P for ietf-http-wg@w3.org; Fri, 14 Oct 2022 15:46:22 +0000
X-KPN-MessageId: 4d356390-4bd7-11ed-be70-005056aba152
Received: from smtp.kpnmail.nl (unknown [10.31.155.39]) by ewsoutbound.so.kpn.org (Halon) with ESMTPS id 4d356390-4bd7-11ed-be70-005056aba152; Fri, 14 Oct 2022 17:46:00 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kpnmail.nl; s=kpnmail01; h=content-type:mime-version:message-id:subject:to:from:date; bh=F5tlj+zJxoYR1qig7M0K5Lk/AhVIJvGwe64oWfHQlxQ=; b=psCDAc1n5JA1QM8Ft5e5biPfCXRPwasj9E9XzhizgIhB7NcZ7Zr79x+1hpsM+blhK8CoM7ITpJ36m wdpmpPAucc+r2FwYBTjndvCkvNvETio4rHl1sIkwCe+7x8EfX9M8zXZQtBZaXaUKOuE/XH2CY5WZon Kd2b7iN4nwo0oJ3w=
X-KPN-MID: 33|I3pmVgvNCUWOskaaRmp8aK4qmjfrho6d+MjcqB4pO5Sye64s60s+sY1fWf5CIxy zBhHbd5+/5F4kajSb/GauX6P2dUeVnBUmJ0GNGkV2Z8I=
X-KPN-VerifiedSender: No
X-CMASSUN: 33|IBOPVlxL2utG233B1EIeLBeQcXVIf5hlxw+dQWKQFn/UjrkD1HGYyHPLBiq/x7X RDFzKkrTrWI378sp+SfzmTA==
X-Originating-IP: 77.173.183.203
Received: from fame.vanrein.org (77-173-183-203.fixed.kpn.net [77.173.183.203]) by smtp.xs4all.nl (Halon) with ESMTPSA id 4d6b4194-4bd7-11ed-b8b1-005056ab7447; Fri, 14 Oct 2022 17:46:00 +0200 (CEST)
Received: by fame.vanrein.org (Postfix, from userid 1000) id 9F35F29AFE; Fri, 14 Oct 2022 15:46:00 +0000 (UTC)
Date: Fri, 14 Oct 2022 15:46:00 +0000
From: Rick van Rein <rick@openfortress.nl>
To: ietf-http-wg@w3.org
Message-ID: <20221014154600.GD7248@openfortress.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2009-06-14)
Received-SPF: pass client-ip=195.121.94.168; envelope-from=vanrein@vanrein.org; helo=ewsoutbound.kpnmail.nl
X-W3C-Hub-DKIM-Status: validation passed: (address=vanrein@vanrein.org domain=kpnmail.nl), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.3
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1ojMt9-00D2hG-2P af347b8867e77b505bbcaeb45f256a54
X-Original-To: ietf-http-wg@w3.org
Subject: HTTP Authentication with SASL
Archived-At: <https://www.w3.org/mid/20221014154600.GD7248@openfortress.nl>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40450
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hello HTTP WG, We presented work on HTTP-SASL before, and would like to discuss it at IETF 115 in London, or take other sufficient steps to allocate the security mechanism name. Please note this takes IETF action. We implemented this work in Apache (two versions) and received an external contribution for Nginx. We have it working in FireFox as an extension. For those relying on Kerberos5, the web only offers SPNEGO, which is considered weak, and HTTP-SASL may replace that. There is excellent potential for automation in HTTP clients, where the norm is now Basic authentication. We have had two developers of authentication mechanisms turn to us, and find to their relief that SASL, which works for most protocols, can also be used for HTTP. In other words, we enabled them to innovate their cryptographic work (and negotiate the mechanism as part of the customary SASL exchange). Others who hear about this work (and care about technical mechanisms for authentication) tend to warmly welcome this approach. We were asked before to look for interested parties, and found it. On top of that, we rely on it. Please let us know if you have any comments. Its design was made in line with the HTTP Authentication framework, of course, and is supportive of stateless servers thanks to the "s2s" attribute. Hope to see you in London, Rick van Rein InternetWide.org ------ ------ ------ ------ ------ ------ ------ A new version of I-D, draft-vanrein-httpauth-sasl-07.txt has been successfully submitted by Rick van Rein and posted to the IETF repository. Name: draft-vanrein-httpauth-sasl Revision: 07 Title: HTTP Authentication with SASL Document date: 2022-10-14 Group: Individual Submission Pages: 14 URL: https://www.ietf.org/archive/id/draft-vanrein-httpauth-sasl-07.txt Status: https://datatracker.ietf.org/doc/draft-vanrein-httpauth-sasl/ Htmlized: https://datatracker.ietf.org/doc/html/draft-vanrein-httpauth-sasl Diff: https://www.ietf.org/rfcdiff?url2=draft-vanrein-httpauth-sasl-07 Abstract: Most application-level protocols standardise their authentication exchanges under the SASL framework. HTTP has taken another course, and often ends up replicating the work to allow individual mechanisms. This specification adopts full SASL authentication into HTTP.
- HTTP Authentication with SASL Rick van Rein