Re: Follow-up on draft-ietf-netconf-http-client-server

Ben Schwartz <bemasc@google.com> Thu, 23 July 2020 18:09 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 978BC3A0C38 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 23 Jul 2020 11:09:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.519
X-Spam-Level:
X-Spam-Status: No, score=-10.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SgsCk8leU_U7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 23 Jul 2020 11:09:37 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEFBC3A0C34 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 23 Jul 2020 11:09:36 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jyfcG-00071l-Nb for ietf-http-wg-dist@listhub.w3.org; Thu, 23 Jul 2020 18:06:48 +0000
Resent-Date: Thu, 23 Jul 2020 18:06:48 +0000
Resent-Message-Id: <E1jyfcG-00071l-Nb@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <bemasc@google.com>) id 1jyfcF-000710-7j for ietf-http-wg@listhub.w3.org; Thu, 23 Jul 2020 18:06:47 +0000
Received: from mail-wr1-x433.google.com ([2a00:1450:4864:20::433]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <bemasc@google.com>) id 1jyfcD-0003UR-F1 for ietf-http-wg@w3.org; Thu, 23 Jul 2020 18:06:47 +0000
Received: by mail-wr1-x433.google.com with SMTP id a15so6020617wrh.10 for <ietf-http-wg@w3.org>; Thu, 23 Jul 2020 11:06:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mEVdpPoKJiUmvdQNWRABUs+YNxp3B05qlfrgQ2rr+Co=; b=gHd2onZlDt18L4rYJTJvAIGyEGN5l8xhIXEPZWJNvNNhOEqUSGZ/V86EhhQLniEm8M u4Dp7Yo/7dZYjjc12caRET7bOe/mUFLnxoIYnNTImtYEbDTEc9kSNpP+6trYOyLr1YSJ 3n7sO4Z/FJFbl2CsW/cXN5D1oLSj45cEdZj7z6VLTzm3BXieyzmm/TbEQajeLC9XCoaT 2PxOD989dY40xt4KrB15dlNPib1jyKlg+QKn61K95OZY7Hx6g2n6u0365KKp0AquOAS0 FZpdL3SUi0xGFiKwtHiy0SDyzQJEZskT2ryPInx6L6hO8t/ClVdOcElBRHRLVq2WwGjw uS0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mEVdpPoKJiUmvdQNWRABUs+YNxp3B05qlfrgQ2rr+Co=; b=eEUnt2gCeYxwun+jhXgVuB+nAAbhG5zOhRuFtBVkB00FM/1OotiTnhu5NLasEY8yuC sY9sLdMtnaAFCVXVRpjHLd1d/pE0n3dcQTSn1JYurdxB3A5a2dnecoEuypDARUPk5UQ2 itichOT3qbh2UaL5qIPQjms29LeQ0mtbHlX5s5NV7LJ+Dz+2PPmmlmu2ALaDluNLMYEZ EKSqlzEQIp8Feofj/x4vDFbIcVMx+7BKZKm/P8d8Y9XzG5rl7Qr8p5osHfxTYN/UpU9U rY4jnQxXPfsRYrVjQ0QqCwN7Bu3as9HjF4AZMu81ukPhii578pHTfXF/R7nEHmLWDOFU A2zw==
X-Gm-Message-State: AOAM5326tQ64ghD+/bqD0hyf9+7UpTA4M9eWPUigwzxa7S3nzbSoXsu+ Dn0iSAuGqb6VRt94QNnaccnBpE7yhYY9eRHR+EzR2w==
X-Google-Smtp-Source: ABdhPJzwwFw/jBzgnU0y1lDUYcl0y/daDuM6GUTZTgZPfqXHwb1ZUCkgiPV7/iBSjIaBiuSAW2rHwE2G+z7XIFPSgF8=
X-Received: by 2002:a5d:43c4:: with SMTP id v4mr3106030wrr.426.1595527593491; Thu, 23 Jul 2020 11:06:33 -0700 (PDT)
MIME-Version: 1.0
References: <01000173723f6de8-d6359eb6-d80e-46fa-86a3-e9fe794f74b6-000000@email.amazonses.com> <010001737c434b23-44eb8c59-f98a-4c3d-8cf3-b991994f2e23-000000@email.amazonses.com>
In-Reply-To: <010001737c434b23-44eb8c59-f98a-4c3d-8cf3-b991994f2e23-000000@email.amazonses.com>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 23 Jul 2020 14:06:21 -0400
Message-ID: <CAHbrMsDNwZN64Y7Tfp0e0JQOSfArk5LeUTC8JqBeatiBVFJN0g@mail.gmail.com>
To: Kent Watsen <kent+ietf@watsen.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="0000000000007900cc05ab1fb7c4"
Received-SPF: pass client-ip=2a00:1450:4864:20::433; envelope-from=bemasc@google.com; helo=mail-wr1-x433.google.com
X-W3C-Hub-Spam-Status: No, score=-20.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jyfcD-0003UR-F1 ff1eda387b5de6957b1830b05da58037
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Follow-up on draft-ietf-netconf-http-client-server
Archived-At: <https://www.w3.org/mid/CAHbrMsDNwZN64Y7Tfp0e0JQOSfArk5LeUTC8JqBeatiBVFJN0g@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37909
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

No, it's entirely common to operate a Web Proxy that does not require or
perform any HTTP or TLS client authentication.  Typically, this is because
authorization is implicit from the network topology, and the proxy is only
reachable by authorized users.

On Thu, Jul 23, 2020 at 11:24 AM Kent Watsen <kent+ietf@watsen.net> wrote:

>
> TL;DR;  Is client-auth to a web proxy mandatory?
>
> Thanks,
> Kent
>
>
> On Jul 21, 2020, at 12:40 PM, Kent Watsen <kent+ietf@watsen.net> wrote:
>
> Thank you all for your earlier comments regarding
> draft-ietf-netconf-http-client-server
> <https://tools.ietf.org/html/draft-ietf-netconf-http-client-server>.
>
> The draft is now almost ready for WGLC (which will be CC-ed here as well),
> but there remains one item for which your guidance is needed (see bottom).
>
> First, as a recap, one of the primarily takeaways from before was that
> proxies can be supported both at the TCP-level (i.e., via SOCKS) and at the
> HTTP-level (i.e. via a Web Proxy).
>
> In order to support TCP-level proxies, the “tcp-client-grouping”, which is
> defined in another draft (draft-ietf-netconf-tcp-client-server
> <https://tools.ietf.org/html/draft-ietf-netconf-tcp-client-server>), now
> defines optional configuration enabling any TCP-client to initiate a
> connection via a proxy.  FWIW, here is a direct link to the "tree diagram”
> <https://tools.ietf.org/html/draft-ietf-netconf-tcp-client-server-07#section-3.1.2.1>
> illustrating this.
>
> In order to support HTTP-level proxies, *this* draft was modified to
> introduce a new “proxy-connect” configuration stanza that, in effect, is
> the complete configuration for another HTTP-client connection.  Here’s a direct
> link to the “tree diagram”
> <https://tools.ietf.org/html/draft-ietf-netconf-http-client-server-04#section-2.1.2.2> and
> here is a fully-populated example
> <https://tools.ietf.org/html/draft-ietf-netconf-http-client-server-04#section-2.2> (see
> 2nd example).
>
> Does everything appear to be in order so far?
>
> Now, for the question, do Web Proxies require client-auth?  More
> specifically:
>
>    1. when an HTTP client is connecting to a Web Proxy via HTTP, is
>    HTTP-level auth (i.e. Basic) mandatory or optional?
>    2. when an HTTP client is connecting to a Web Proxy via HTTPS, is
>    TLS-level and/or HTTP-level auth mandatory or optional?
>
>
> Thanks,
> Kent
>
>
>