Re: Call for Adoption: HTTP Unprompted Authentication
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 07 February 2023 13:25 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB958C1522C6 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 7 Feb 2023 05:25:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.749
X-Spam-Level:
X-Spam-Status: No, score=-2.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7EHZHHIHIXc for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 7 Feb 2023 05:25:35 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD8F9C15153F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 7 Feb 2023 05:25:34 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1pPNxs-00BZLM-A4 for ietf-http-wg-dist@listhub.w3.org; Tue, 07 Feb 2023 13:24:52 +0000
Resent-Date: Tue, 07 Feb 2023 13:24:52 +0000
Resent-Message-Id: <E1pPNxs-00BZLM-A4@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <stephen.farrell@cs.tcd.ie>) id 1pPNxq-00BZKP-1z for ietf-http-wg@listhub.w3.org; Tue, 07 Feb 2023 13:24:50 +0000
Received: from mail-he1eur04on2122.outbound.protection.outlook.com ([40.107.7.122] helo=EUR04-HE1-obe.outbound.protection.outlook.com) by mimas.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <stephen.farrell@cs.tcd.ie>) id 1pPNxp-0040Ax-DD for ietf-http-wg@w3.org; Tue, 07 Feb 2023 13:24:50 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZWIQMIeLhlt8pqdVYfRwxJb/IHm1lXv6kN5LqtzdAn9wB3r/XqbELk1h2Zk82ZCE7zWp35ic/vSxkqZr5NxIk+jz872tNGjUWwgRFEs2udWjkUnrS3dH589266oZm+kkPX1r8Vw1PGrcQ5g5A2fKSZpmxDDI73DnM0X9SMC0gJZwflz700e/bncbWSNgGAse5SMcAOY3SKiJRuEqD6/elrqq+s+yVwBCFAZO/5hHSs7Dzlyf1J9A+1DwMIeeCuDeRf88a+4COfJYD/+rbKsUE1yUAqsIU3LXq5xjXBOs8WaMXA8VcUZKBl3UEJ4cdlvpCgwvFQ9S+b5PHc3Hhgg4GA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XIxmZkEArHSUKIstYJ2GDx+CTmz2lnKrzN1/okKMqxY=; b=WHkYyKiv+nd1GVB2fMwuZEdPrGm8B6B5X7wCB5hL5yXuZeEnDbD39xIqpmd5ZUBIip++/9LQgRzNA7uPCEFQcGtWNeSTKuNftMlkXnsS6Xf6M3v668ySTMsi1qBWl7nwtK5n+mV+B7DfXiMQiWhpbeuLGsqsPSlQpvIJBfX+M/eibpctz9ZVSu63KPEgYsTaBygPBfg8wW6mwH24s3qKekoIltdDGk1ukMYJI3QUgNoi1kldwnpF7wRQf/rtx4BL/ZXx1fjKU30A3v7Nv2IG9Xlf69PYFqn9C+JJq8j6tQwk75WMR61B2o9EHrly16mePGLxfsIX1yvfyWGJqFQF6w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XIxmZkEArHSUKIstYJ2GDx+CTmz2lnKrzN1/okKMqxY=; b=ms1fqWxtM4ROK+AK+50ZesXQ98kcVCOoMNkorkhXSAJ7JqYE/h00Fz0KmZU5wiWAbYUBWaDlSUc5g9RmwZzz2xSBFrKAlvYL+p7CI0UTqVsRuwZeCR1TkusSWEbIUjwCOU6Wuug2/LV7/wVA35QHSPYYlJB2892imtHga4DJSYsHnvLJbVH5h/LsEzwa6i/kD+uSVGy/I0rp+VkOJRu1o+j2+ydbW2qcovDi9WrjIGPYHmAVUzfgfvc8ADOQyEr2/1PRlgmoxKc2tCRwDsTDXJVQyur0DigD6wfJV20JVFqtlzNw0jtkCPKWa5B+Q20CG4cjQ3DetDVTHfRq2CChcw==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by AS2PR02MB9189.eurprd02.prod.outlook.com (2603:10a6:20b:5f9::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.31; Tue, 7 Feb 2023 13:24:35 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::47ff:ce7d:4074:b349]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::47ff:ce7d:4074:b349%7]) with mapi id 15.20.6064.036; Tue, 7 Feb 2023 13:24:35 +0000
Message-ID: <f6fd5886-5da8-38a7-0bd3-1fd54a96238f@cs.tcd.ie>
Date: Tue, 07 Feb 2023 13:24:33 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: en-US
To: Martin Thomson <mt@lowentropy.net>, ietf-http-wg@w3.org
References: <6532E43F-74FD-46B4-8D28-9DB03452A689@mnot.net> <7415fe6a-40c4-139b-af35-eb71f6ba5254@cs.tcd.ie> <397fa423-e8d7-44f3-893f-a1e8eddb8065@app.fastmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <397fa423-e8d7-44f3-893f-a1e8eddb8065@app.fastmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------MUTVSXQd5W1Hgy0RqHy8pcGL"
X-ClientProxiedBy: DB8PR06CA0014.eurprd06.prod.outlook.com (2603:10a6:10:100::27) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|AS2PR02MB9189:EE_
X-MS-Office365-Filtering-Correlation-Id: f1a34fb9-b5f2-4b47-48bd-08db090ea7cc
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: XpvECm9+QoTCj/xY2+7LH+HKTg0EsOAZPXWxBvX3ddOu9DHI/toMkKbwTgFTuCzd3NTp881q4t46CRvt5oZfuBUJMHxGGKRFczqryOt1ztHJeWm83FTcAdtZ2k3jfHDoBhb3fnA/exYo5L6hMWX0BHVPTIPEQoNmHgPOlSSoP444NGqjBngkiirwKgiRo2676j0Bckx70JFgsZiH8fDuVVCvKHlV6oo+lVIFFH0i3gi9QDzdJrErVKNA7d9OK4g08NnDJsHacjGSgtOEYi7GN/XSBc90E4LinBwSC5ztd2MiXyCNUiZt+S9T1JKu84fyrzH9/G4PGjUPJ8VwsUGFmqLpQhCm9OcIQy2BSOQjCT++rnjSaU0Xyeao14xN9x9Y3GAiE8BgttBRqkgJxO3k5twGdl7o7Wo0XkqMetPncaa25lPjtPvnmgM4uDdL8XRip7t6DfUrOue0riG30m3+YsgE80DK2weacdkx+gBU5a82UJ7CV1CS2ZMwD4a5/lnklZBWt7H6DbBJrzgfgah4CEXqaBUMx89A5OwxFuOWVnC2OshqauB5iWkKHAHKycCL+pLNR0szbTONZNRoXRJk1/ZfOBh7jOnkBgOA9ca+PsPqQSbdUxet6tB+gkr4dHa8n1knX8IuP8fOkGZko5RV//oOg0Cv96JGraANMc4qwGMIZeBosKpq6Cr4S3QJizRZRH3/ETV39cKnYkdfJIz3xCErLfi+fEYaqt4JD0tMhkA=
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB7PR02MB5113.eurprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(4636009)(366004)(346002)(39860400002)(376002)(136003)(396003)(451199018)(8936002)(235185007)(36756003)(5660300002)(786003)(316002)(478600001)(41320700001)(6486002)(38100700002)(33964004)(8676002)(66556008)(66476007)(2616005)(6506007)(86362001)(41300700001)(53546011)(44832011)(83380400001)(66946007)(21480400003)(31696002)(186003)(31686004)(2906002)(6512007)(43740500002)(45980500001);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: haVguVH3fO1ypAMSZx7BCJzwAJqWSI3kIPeZvGMpREM1yQnQmLZ+FtmTeQnP1auPCWkvD1ssF/mj5oqtZ5oZgTGeQU+OTcC4o/iQcT3w128+yWg1Q9F03DDOjY7XE+HNjBLwRdnl4If6iC4PjXOIa3Cdo/M9TA8Xq8sb7m8wu+qLmuVRjeNP9tk7mcTPi41RqAYRZ+1M6M/Tu4/dmO5U0okipkxKzNSz0ADpwiV7J14+0/RMo+LQDnMBJwgNHcwHqgNTdGo3WoC7HJYbSAgSvV2otueRM7Lnb2SIm9c269gdUltjZSUnM8WiOTwi2USMvoQ3x5upuFvxrPJ4g29dpYYBLeRb+PNk4zNAaPEBbooyck839NbM4+JpFIW6LlKZQElV1C5HujkDrW2jSmcV2OGEsB7BlbQ4WgjbmljqCsQWJVj2J+QkKL0yQi3gictyVuSHOVq44YTQ2PblbvffcAv+kDz7+QwHxM0iGiRGc8l+bPdYh0t26GxpUvQrcmNCbmWWY6Ue0yVcfmf1p95RJzxChFjddMiJB2Yt8qysIH8OFKBov3KnfftsE4iCALvncjOJoa8ZEsQs8CA5CddePjhAAB7+b0dg5SuRsusD56jaAfvO7JPsYAGpr5nMZBlonNiFwOPGPkjMnirbckeJCbQkBW0rC+HUC/8OYonvvzN6Zj10NLxyvSmZbP67J9mcSCKJW/8mL7SJTr7PcOf9eHcre9mrLBbSoz6cx1UTsJAr3dpjCuuukC5fnZd5J/VBZuw9hVzh/8NlqOAJMGqeuDYpz5BvDs7VNBCeyEQxh4cTDRfJhi4dY6GkVtd/ByccQCZh0lVaTutyYikUsJAsn+ZNy1NsEKaTNEdSGu7ciKFWAQMqzevzHGOvnXWSZvz/CAiUIFBNyZX7Mq2SvN+j0FhLdePyggxkUMKSwEhJpmaxJFb5D+V/DnD6k28iLwIiYfQx09lFGHnuoiJ/EpSGh2r2XYduTIiAh19ARvgquoIvRy1FwamtrmojNhU+iA21SdBTy7l58jM5fzKP+RdVPtZFkReWtsCiRXAWBL9qlQzlYTt0uGQNJkCbzBL7y6/psMC67oxg8nv3Wg2mR+8ZTfrvlVO0yH1Q368FYNDnZQgxmU1phPORz5vyu1hQa4mOHH9hEFJBupdVX15i9uaPZV5rhguDamH9BQaONBkaJsC1XXpp/Lc9fqUBlKkYgG6OI9FODAa3besR3lelACw7wYdBkyP1AuZ0KhfEGaamwXURT+go8lc362Mi+P6FSwsKwjn1VIZbSt6wNufJwC+wIczv/nxFdcQqTJXvy0zXwISRKf0UaEYsbfxrjmYIALhsKj9P3lidOQcXOe7C1rZUG/Kjp49EwULH8hfxTPg/kHyS7HsBUsSoY2beO8OjJBfq5lZTvkrNYp9ugjiLqM5t2tfUdWU1Yeli56BnM3Yiz41ZaKypEKrJej+Ed/VKsDPP/ujEK2fUWOtDE51gWVhRXXi+22Mq/hBBZEPQCUFM7+BlPZpT9BPVFsG+HV0lPw0bk/ZD+yHnqRbBkYNMVIJsddEfXp7HxwBJsi30LqeZ6K33gNym0aURWJHg2PB/lD+cv6Vs9H4lbMJw0f3chcM32wLrl4DVM/t3fQcOd68McCUbUt30GQFwoIlue/vuF0iE
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: f1a34fb9-b5f2-4b47-48bd-08db090ea7cc
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 13:24:35.4619 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: T7HSLR2we1Dv/twzJAXpiPFW8XwCGpHPZZH/mmvIgoou1XgUBhqyM0Tpne5t24GC
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR02MB9189
Received-SPF: pass client-ip=40.107.7.122; envelope-from=stephen.farrell@cs.tcd.ie; helo=EUR04-HE1-obe.outbound.protection.outlook.com
X-W3C-Hub-DKIM-Status: validation passed: (address=stephen.farrell@cs.tcd.ie domain=cs.tcd.ie), signature is good
X-W3C-Hub-Spam-Status: No, score=-6.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-1.148, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1pPNxp-0040Ax-DD 40b3887be4460106103349b032d039af
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: HTTP Unprompted Authentication
Archived-At: <https://www.w3.org/mid/f6fd5886-5da8-38a7-0bd3-1fd54a96238f@cs.tcd.ie>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/50689
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hiya, On 07/02/2023 12:56, Martin Thomson wrote: > > On Tue, Feb 7, 2023, at 07:32, Stephen Farrell wrote: >> Can someone clarify whether the u= field amounts to a super-cookie >> or not, and if not, how that might be the case? > > It doesn't have to be. Each site (*) could get a different key pair > and key identifier. Sure, that could happen. Question is whether that's likely or not. History seems to show that new tracking opportunities on the web will be exploited, so I'd argue that's not an ignorable risk for this scheme. IOW shouldn't this draft define a way or ways to avoid that risk? Seems to me it should. > The draft doesn't say that though, so you are right to ask. This is > probably another case where documenting a little more detail about > the usage context could help. > > (*) That's a web term, I know, but the question was also web-related. > The more general way to approach this is to say that for servers > where the client would not otherwise be linkable, the client must use > different keys and key identifiers. I'm not sure how a client could evaluate that "not otherwise" Cheers, S. > On the web, the boundary we use > to determine when linkability is assumed or not is site. >
- Call for Adoption: HTTP Unprompted Authentication Mark Nottingham
- Re: Call for Adoption: HTTP Unprompted Authentica… Stephen Farrell
- Re: Call for Adoption: HTTP Unprompted Authentica… Martin Thomson
- Re: Call for Adoption: HTTP Unprompted Authentica… Stephen Farrell
- Re: Call for Adoption: HTTP Unprompted Authentica… Ilari Liusvaara
- Re: Call for Adoption: HTTP Unprompted Authentica… Christopher Wood
- Re: Call for Adoption: HTTP Unprompted Authentica… David Schinazi
- Re: Call for Adoption: HTTP Unprompted Authentica… Stephen Farrell
- Re: Call for Adoption: HTTP Unprompted Authentica… Martin Thomson
- Re: Call for Adoption: HTTP Unprompted Authentica… Eric Kinnear
- Re: Call for Adoption: HTTP Unprompted Authentica… Mark Nottingham
- Re: Call for Adoption: HTTP Unprompted Authentica… David Schinazi
- Re: Call for Adoption: HTTP Unprompted Authentica… Eric J Bowman