IETF Logo Mail Archive

Client requesting authentication on server & thomson-httpbis-catch

"henry.story@bblfish.net" <henry.story@bblfish.net> Tue, 18 March 2014 18:19 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F15091A0765 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 18 Mar 2014 11:19:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_34=0.6, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8hfL8wfcaiWe for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 18 Mar 2014 11:19:03 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id BEEB51A0767 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 18 Mar 2014 11:14:09 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WPyVF-0004cA-CH for ietf-http-wg-dist@listhub.w3.org; Tue, 18 Mar 2014 18:12:41 +0000
Resent-Date: Tue, 18 Mar 2014 18:12:41 +0000
Resent-Message-Id: <E1WPyVF-0004cA-CH@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <henry.story@bblfish.net>) id 1WPyV2-0004aE-Lx for ietf-http-wg@listhub.w3.org; Tue, 18 Mar 2014 18:12:28 +0000
Received: from mail-wg0-f42.google.com ([74.125.82.42]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <henry.story@bblfish.net>) id 1WPyV1-0006bM-M9 for ietf-http-wg@w3.org; Tue, 18 Mar 2014 18:12:28 +0000
Received: by mail-wg0-f42.google.com with SMTP id y10so6166967wgg.13 for <ietf-http-wg@w3.org>; Tue, 18 Mar 2014 11:12:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-type:content-transfer-encoding :subject:date:message-id:cc:to:mime-version; bh=aVnNTEuKre7ffWV4cc7k/HuFWgMterXe0uTJ0+lmcXA=; b=ZnwBiwZsWgphPmM6Fe+WM5VWUZIIYpT3qryUuaVQF4po/S2YnO5/sU3LU4kiq5qpAE jrS5pNbJ2bNdq4AsJCy2AOtwMjLsc/JNc9VKjeUljhw0+zcqb+hRsrEE0wAHY6wvEq2h X+PLPVovhi1tmqiBuY1jF1O2q1e60CoTrt86LB+EnGdBXFwp3K85zFmrge+lk/hJiBCD Ho83+QXet/5qJ4VvmxT0k/b1/u8fFbxcmsd1oWt1soAD6f3G23j5xqtCjvHpAlZtLA39 7OUDRKgxdMXJ0jMl+0qCaXR0us1F5mk/bw54a1VRf4d8nSCF2mUNThN3EKRt98/sUef+ u40g==
X-Gm-Message-State: ALoCoQm76pNKEBbzav/HLRJ9it7s08/Zh1pXPWNWpWUQ5+ksAxJe+SHLH8S8uDI7speyg0lgVdr7
X-Received: by 10.180.12.43 with SMTP id v11mr15542025wib.33.1395166321196; Tue, 18 Mar 2014 11:12:01 -0700 (PDT)
Received: from [10.196.16.182] (host.214.33.23.62.rev.coltfrance.com. [62.23.33.214]) by mx.google.com with ESMTPSA id ga20sm36181512wic.0.2014.03.18.11.12.00 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 18 Mar 2014 11:12:00 -0700 (PDT)
From: "henry.story@bblfish.net" <henry.story@bblfish.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 18 Mar 2014 19:11:57 +0100
Message-Id: <EA2F3433-23B1-40A4-8A5B-943FDFEEAB6C@bblfish.net>
Cc: Martin Thomson <martin.thomson@gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
X-Mailer: Apple Mail (2.1874)
Received-SPF: none client-ip=74.125.82.42; envelope-from=henry.story@bblfish.net; helo=mail-wg0-f42.google.com
X-W3C-Hub-Spam-Status: No, score=-3.7
X-W3C-Hub-Spam-Report: AWL=-2.985, RCVD_IN_DNSWL_LOW=-0.7
X-W3C-Scan-Sig: maggie.w3.org 1WPyV1-0006bM-M9 413fa6629db211c46bd8d87b86dbcb28
X-Original-To: ietf-http-wg@w3.org
Subject: Client requesting authentication on server & thomson-httpbis-catch
Archived-At: <http://www.w3.org/mid/EA2F3433-23B1-40A4-8A5B-943FDFEEAB6C@bblfish.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/22734
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi,

    We have a problem that is somewhat the opposite of the
one described by Martin Thomson recently under draft-thomson-httpbis-catch-00 [1]
though we could make use of it.

We want to deploy client authentication using TLS now [0], with browsers and clients
as they are - that is we cannot wait for TLS1.3, though we look forward to it and
improvements such as draft-thomson-tls-care [3]

Our problem is that we have resources that can return different information
(header or body) depending on the authentication level. Consider for example just
the Allow: header. If a user is not authenticated we return the methods allowed for
an anonymous user.

$ curl -I -k https://bblfish.stample.io/card
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Allow: OPTIONS, GET, HEAD
Content-Type: text/turtle
Accept-Patch: application/sparql-update
Link: <card.acl>; rel=acl, <http://www.w3.org/ns/ldp#Resource>; rel=type

( Following the acls could let a more intelligent user agent know what rights 
  it may have as different users, but not as current browsers are set up [2] )

A server could use the thomson-httpbis-catch WWW-Authenticate header to let 
the client know that authenticated users could do something more if it 
authenticated. Perhaps like this:

$ curl -I -k https://bblfish.stample.io/card
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Allow: OPTIONS, GET, HEAD
WWW-Authenticate: Certificate
Content-Type: text/turtle
Accept-Patch: application/sparql-update
Link: <card.acl>; rel=acl, <http://www.w3.org/ns/ldp#Resource>; rel=type 

But now how does the client authenticate with TLS in the current browsers?
We don't want the client to do a PUT or a POST or a DELETE on the resource
just to do something that it does not have access to. 


There seem to be two choices here:

 1) to have an authentication header that the client could add,
   to ask the server to authenticate it using TLS client certificates. Perhaps
   a client could do 

   GET /card HTTP/1.1
   Auth: Certificate
   ...

  This would be the equivalent in HTTP of what Martin Thomson proposed at the TLS
  level in his "Client Authentication Request Extension for (D)TLS" RFC [3] . 


  2) For the server to publish a link relation to a authentication resource.
   Perhaps with a Link: rel=authn

$ curl -I -k https://bblfish.stample.io/card
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Allow: OPTIONS, GET, HEAD
WWW-Authenticate: Certificate
Content-Type: text/turtle
Accept-Patch: application/sparql-update
Link: <card.acl>; rel=acl, <http://www.w3.org/ns/ldp#Resource>; rel=type 
Link: </login>; rel=authn

   Perhaps for TLS renegotiation a more specific rel=authn-tls would 
be useful. (It's not sure if this answer still needs the WWW-Authenticate: Certificate 
header ). 

   A lot of things are moving in HTTP, so I may have missed the right tool 
for the job.

Henry

[0] Using http://www.w3.org/2005/Incubator/webid/spec/ WebID over TLS
[1] http://datatracker.ietf.org/doc/draft-thomson-httpbis-catch/
[2]  A client could follow the card.acl resource to find out what it is allowed to
do if it is logged in [2], though this would not be too much help for Web Browsers
as these do not necessarily know what their identities are - they can't for
example access the Certificates in their key store - so the JavaScript would have
difficulty finding out what group it belongs to.  Note: The acl link is defined 
in the Web Access Control page of 
     http://www.w3.org/2005/Incubator/webid/spec/
( it needs to be standardised )
[3] http://datatracker.ietf.org/doc/draft-thomson-tls-care/
 


Social Web Architect
http://bblfish.net/

v2.23.0 | Report a Bug | By Email