Client requesting authentication on server & thomson-httpbis-catch
"henry.story@bblfish.net" <henry.story@bblfish.net> Tue, 18 March 2014 18:19 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F15091A0765 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 18 Mar 2014 11:19:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_34=0.6, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8hfL8wfcaiWe for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 18 Mar 2014 11:19:03 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id BEEB51A0767 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 18 Mar 2014 11:14:09 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WPyVF-0004cA-CH for ietf-http-wg-dist@listhub.w3.org; Tue, 18 Mar 2014 18:12:41 +0000
Resent-Date: Tue, 18 Mar 2014 18:12:41 +0000
Resent-Message-Id: <E1WPyVF-0004cA-CH@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <henry.story@bblfish.net>) id 1WPyV2-0004aE-Lx for ietf-http-wg@listhub.w3.org; Tue, 18 Mar 2014 18:12:28 +0000
Received: from mail-wg0-f42.google.com ([74.125.82.42]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <henry.story@bblfish.net>) id 1WPyV1-0006bM-M9 for ietf-http-wg@w3.org; Tue, 18 Mar 2014 18:12:28 +0000
Received: by mail-wg0-f42.google.com with SMTP id y10so6166967wgg.13 for <ietf-http-wg@w3.org>; Tue, 18 Mar 2014 11:12:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-type:content-transfer-encoding :subject:date:message-id:cc:to:mime-version; bh=aVnNTEuKre7ffWV4cc7k/HuFWgMterXe0uTJ0+lmcXA=; b=ZnwBiwZsWgphPmM6Fe+WM5VWUZIIYpT3qryUuaVQF4po/S2YnO5/sU3LU4kiq5qpAE jrS5pNbJ2bNdq4AsJCy2AOtwMjLsc/JNc9VKjeUljhw0+zcqb+hRsrEE0wAHY6wvEq2h X+PLPVovhi1tmqiBuY1jF1O2q1e60CoTrt86LB+EnGdBXFwp3K85zFmrge+lk/hJiBCD Ho83+QXet/5qJ4VvmxT0k/b1/u8fFbxcmsd1oWt1soAD6f3G23j5xqtCjvHpAlZtLA39 7OUDRKgxdMXJ0jMl+0qCaXR0us1F5mk/bw54a1VRf4d8nSCF2mUNThN3EKRt98/sUef+ u40g==
X-Gm-Message-State: ALoCoQm76pNKEBbzav/HLRJ9it7s08/Zh1pXPWNWpWUQ5+ksAxJe+SHLH8S8uDI7speyg0lgVdr7
X-Received: by 10.180.12.43 with SMTP id v11mr15542025wib.33.1395166321196; Tue, 18 Mar 2014 11:12:01 -0700 (PDT)
Received: from [10.196.16.182] (host.214.33.23.62.rev.coltfrance.com. [62.23.33.214]) by mx.google.com with ESMTPSA id ga20sm36181512wic.0.2014.03.18.11.12.00 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 18 Mar 2014 11:12:00 -0700 (PDT)
From: "henry.story@bblfish.net" <henry.story@bblfish.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 18 Mar 2014 19:11:57 +0100
Message-Id: <EA2F3433-23B1-40A4-8A5B-943FDFEEAB6C@bblfish.net>
Cc: Martin Thomson <martin.thomson@gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
X-Mailer: Apple Mail (2.1874)
Received-SPF: none client-ip=74.125.82.42; envelope-from=henry.story@bblfish.net; helo=mail-wg0-f42.google.com
X-W3C-Hub-Spam-Status: No, score=-3.7
X-W3C-Hub-Spam-Report: AWL=-2.985, RCVD_IN_DNSWL_LOW=-0.7
X-W3C-Scan-Sig: maggie.w3.org 1WPyV1-0006bM-M9 413fa6629db211c46bd8d87b86dbcb28
X-Original-To: ietf-http-wg@w3.org
Subject: Client requesting authentication on server & thomson-httpbis-catch
Archived-At: <http://www.w3.org/mid/EA2F3433-23B1-40A4-8A5B-943FDFEEAB6C@bblfish.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/22734
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi, We have a problem that is somewhat the opposite of the one described by Martin Thomson recently under draft-thomson-httpbis-catch-00 [1] though we could make use of it. We want to deploy client authentication using TLS now [0], with browsers and clients as they are - that is we cannot wait for TLS1.3, though we look forward to it and improvements such as draft-thomson-tls-care [3] Our problem is that we have resources that can return different information (header or body) depending on the authentication level. Consider for example just the Allow: header. If a user is not authenticated we return the methods allowed for an anonymous user. $ curl -I -k https://bblfish.stample.io/card HTTP/1.1 200 OK Access-Control-Allow-Origin: * Allow: OPTIONS, GET, HEAD Content-Type: text/turtle Accept-Patch: application/sparql-update Link: <card.acl>; rel=acl, <http://www.w3.org/ns/ldp#Resource>; rel=type ( Following the acls could let a more intelligent user agent know what rights it may have as different users, but not as current browsers are set up [2] ) A server could use the thomson-httpbis-catch WWW-Authenticate header to let the client know that authenticated users could do something more if it authenticated. Perhaps like this: $ curl -I -k https://bblfish.stample.io/card HTTP/1.1 200 OK Access-Control-Allow-Origin: * Allow: OPTIONS, GET, HEAD WWW-Authenticate: Certificate Content-Type: text/turtle Accept-Patch: application/sparql-update Link: <card.acl>; rel=acl, <http://www.w3.org/ns/ldp#Resource>; rel=type But now how does the client authenticate with TLS in the current browsers? We don't want the client to do a PUT or a POST or a DELETE on the resource just to do something that it does not have access to. There seem to be two choices here: 1) to have an authentication header that the client could add, to ask the server to authenticate it using TLS client certificates. Perhaps a client could do GET /card HTTP/1.1 Auth: Certificate ... This would be the equivalent in HTTP of what Martin Thomson proposed at the TLS level in his "Client Authentication Request Extension for (D)TLS" RFC [3] . 2) For the server to publish a link relation to a authentication resource. Perhaps with a Link: rel=authn $ curl -I -k https://bblfish.stample.io/card HTTP/1.1 200 OK Access-Control-Allow-Origin: * Allow: OPTIONS, GET, HEAD WWW-Authenticate: Certificate Content-Type: text/turtle Accept-Patch: application/sparql-update Link: <card.acl>; rel=acl, <http://www.w3.org/ns/ldp#Resource>; rel=type Link: </login>; rel=authn Perhaps for TLS renegotiation a more specific rel=authn-tls would be useful. (It's not sure if this answer still needs the WWW-Authenticate: Certificate header ). A lot of things are moving in HTTP, so I may have missed the right tool for the job. Henry [0] Using http://www.w3.org/2005/Incubator/webid/spec/ WebID over TLS [1] http://datatracker.ietf.org/doc/draft-thomson-httpbis-catch/ [2] A client could follow the card.acl resource to find out what it is allowed to do if it is logged in [2], though this would not be too much help for Web Browsers as these do not necessarily know what their identities are - they can't for example access the Certificates in their key store - so the JavaScript would have difficulty finding out what group it belongs to. Note: The acl link is defined in the Web Access Control page of http://www.w3.org/2005/Incubator/webid/spec/ ( it needs to be standardised ) [3] http://datatracker.ietf.org/doc/draft-thomson-tls-care/ Social Web Architect http://bblfish.net/
- Re: Client requesting authentication on server & … henry.story@bblfish.net
- Client requesting authentication on server & thom… henry.story@bblfish.net
- Re: Client requesting authentication on server & … Mark Nottingham
- Re: Client requesting authentication on server & … henry.story@bblfish.net
- Re: Client requesting authentication on server & … Mark Nottingham
- Re: Client requesting authentication on server & … Amos Jeffries