Re: Working Group Last Call: draft-ietf-httpbis-auth-info
Yutaka OIWA <y.oiwa@aist.go.jp> Thu, 12 February 2015 01:51 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A286D1A89FF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 11 Feb 2015 17:51:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.39
X-Spam-Level:
X-Spam-Status: No, score=-6.39 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3D43rfeJS5bj for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 11 Feb 2015 17:51:38 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1D3E1A89F9 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 11 Feb 2015 17:51:38 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YLitA-0005QD-CG for ietf-http-wg-dist@listhub.w3.org; Thu, 12 Feb 2015 01:48:20 +0000
Resent-Date: Thu, 12 Feb 2015 01:48:20 +0000
Resent-Message-Id: <E1YLitA-0005QD-CG@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <y.oiwa@aist.go.jp>) id 1YLit1-0005PS-9v for ietf-http-wg@listhub.w3.org; Thu, 12 Feb 2015 01:48:11 +0000
Received: from na3sys010aog103.obsmtp.com ([74.125.245.74]) by lisa.w3.org with smtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <y.oiwa@aist.go.jp>) id 1YLisz-0008Cu-Gp for ietf-http-wg@w3.org; Thu, 12 Feb 2015 01:48:11 +0000
Received: from mail-lb0-f172.google.com ([209.85.217.172]) (using TLSv1) by na3sys010aob103.postini.com ([74.125.244.12]) with SMTP ID DSNKVNwGQTXrmC8f6/+eK7y6jxcBclsybjRa@postini.com; Wed, 11 Feb 2015 17:48:09 PST
Received: by mail-lb0-f172.google.com with SMTP id p9so5968980lbv.3 for <ietf-http-wg@w3.org>; Wed, 11 Feb 2015 17:47:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=IJqNtxoc/HQx1H+u7x0SU1EhqITO0KDM9tjHJq6JsiU=; b=LND02T7x7pH4S3h4qJAA2lh3+4ItX044AFd0bDyro3P5vixbqrQu2yAmHiIJ7BWgjo MJhQuJo/AnsTRVB1CIStxGFC7JBKNwx/fsxQY9Ryo6L6kCFRNL+B9KsOCoLXX6wOAOEH p8fcyaSaSoy5MtMmRB0xop/tryzzTum8xMUKk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=IJqNtxoc/HQx1H+u7x0SU1EhqITO0KDM9tjHJq6JsiU=; b=Cn4q0mSwEwRtDUwLrH1IpIQ5d/RYOaFfmjMiHZym0Q2Y9hVHKhnsAD///shwya/u7D 1IkMzlqgHS9wJKUDroUhLfSmdW7UKFdakkXpQAf/vIJTzLKj4ynnpSMnnzdCBGFV7Ajo ZOOnSHLfj4ThcbNC/mLxlJ/hMo3wmmE18hWROYxK4V8A/u/fgXteavZBrz4zd/DMQJC2 3yZOFzjsDperD5dU5SqexB6sC18AnKjTNYXr1ypNY/4pSU65bQjTdqeHCdDYt0+ovC95 DAe/6tdQ4Tx37Pe5vxbkYzYkrPJkS6Yd60h2BhxpwHumZ8qF9TOOWfxJalI/nix78TcQ fqLA==
X-Gm-Message-State: ALoCoQnSnvIjMzRqD/VOprxX6wCBBmKXZVUbcf1p6Z4GW1z7LUSGVF1W30HZZO6zyeDzm9iO6D1xBe6IcGK7anKe3JKiBmypYQlZc/htDSuS/Jf5eIRfE7WWHO2BA5Fe0epdtnvmrW92iZiP1/nVZLKddPqcvURFxQ==
X-Received: by 10.152.6.101 with SMTP id z5mr1175821laz.19.1423705664321; Wed, 11 Feb 2015 17:47:44 -0800 (PST)
X-Received: by 10.152.6.101 with SMTP id z5mr1175818laz.19.1423705664225; Wed, 11 Feb 2015 17:47:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.83.203 with HTTP; Wed, 11 Feb 2015 17:47:24 -0800 (PST)
In-Reply-To: <54DBC238.80404@treenet.co.nz>
References: <0E4872BF-EBCB-42C0-9BF9-8BC179C1BDDA@mnot.net> <54DAB257.5000203@treenet.co.nz> <54DB1630.3040306@gmx.de> <54DB2A89.2010001@treenet.co.nz> <54DB32BB.10609@gmx.de> <54DBC238.80404@treenet.co.nz>
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Thu, 12 Feb 2015 10:47:24 +0900
Message-ID: <CAMeZVwseZUnYHVLJeu7Bi2SsjpdL6BjT+7i_iYrBKkvSpDnaBQ@mail.gmail.com>
To: Amos Jeffries <squid3@treenet.co.nz>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=74.125.245.74; envelope-from=y.oiwa@aist.go.jp; helo=na3sys010aog103.obsmtp.com
X-W3C-Hub-Spam-Status: No, score=-5.2
X-W3C-Hub-Spam-Report: AWL=-0.900, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001
X-W3C-Scan-Sig: lisa.w3.org 1YLisz-0008Cu-Gp b9f511d039898b8c842f13f7adc5c99d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Working Group Last Call: draft-ietf-httpbis-auth-info
Archived-At: <http://www.w3.org/mid/CAMeZVwseZUnYHVLJeu7Bi2SsjpdL6BjT+7i_iYrBKkvSpDnaBQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/28825
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
> Yes, but why would you send Authentication-Info in a response when
> Authenticate was not present in the request?
> If the auth is out-of-band. In the web form payload for example, or TLS
> based certificate authentication. This header would make a good binding
> between them and HTTP.
I strongly believe that this header MUST NOT be used for such a purpose.
Use of Authentication-Info: header should be limited to RFC-7235 in-band
authentications.
Out-of-band authentication can co-exist with RFC-7235-style
in-band authentication, and re-use of the headers for out-of-band
authentication will immediately cause conflicts.
There is several good reasons to bind out-of-band authentication and
HTTP, and there can be two solutions:
1) define an in-band WWW-Authenticate authentication scheme,
using outcome of out-of-band authentication for
in-band authorization. Authentication-info: header can be used
as a part of latter.
OAuth is one of such an example.
Or, we can simply define an tunnel in-band authentication scheme like
WWW-Authenticate: OutOfBand medium=TLS-client-cert
Authorization: OutOfBand medium=TLS-client-cert channel-binding=......
2) if there is a need for light-weight solution, we can define a new
header for a specific purpose.
2015-02-12 5:57 GMT+09:00 Amos Jeffries <squid3@treenet.co.nz>:
> On 11/02/2015 11:45 p.m., Julian Reschke wrote:
>> On 2015-02-11 11:10, Amos Jeffries wrote:
>>> ...
>>> ...
>>>>> With mention specifically about how it differs from Authentication-Info
>>>>> by being hop-by-hop.
>>>>
>>>> Hmm, why is it hop-by-hop?
>>>
>>>
>>> First Proxy-Auth* are explicitly hop-by-hop. This not being so violates
>>> the principle of least surprise.
>>>
>>> It would leak the proxies network credentials related data to the client.
>>>
>>> With result such as; In a proxy chain of A<-B<-C<-D<-E with different
>>> authentications happening in the hop D->C and the hop C->B. If the
>>> header was treated as end-to-end D would be participating in the B->C
>>> authentication.
>>
>> Understood, but that doesn't make it hop-by-hop, but something in
>> between, right?
>
> Technically yes. I dont think we need to fix that though. The well
> RFC7235 is clear for the proxy-auth headers that each recipient has to
> make an explicit choice with them whether to relay, change, or remove
> (default).
> Since this header is supposed to be a part of the same framework there
> should be no issue with clearly giving it the same property. Just as
> long as it *is* clear, and not just implied like right now.
>
>
>>
>>>>> Under security considerations I believe it would be good to mention
>>>>> that
>>>>> recipients of the Authentication-Info header in any response should
>>>>> (ought to or SHOULD?) treat the transaction as if it were authenticated
>>>>> even if the RFC7235 headers are not present.
>>>>
>>>> Why?
>>>>
>>>> (Remember that the intent of the spec was simply to extract the
>>>> definition from RFC 2617; so if we make additional changes they need to
>>>> be, well, understood)
>>>
>>> Information leak vulnerabilities.
>>
>> Yes, but why would you send Authentication-Info in a response when
>> Authenticate was not present in the request?
>
> If the auth is out-of-band. In the web form payload for example, or TLS
> based certificate authentication. This header would make a good binding
> between them and HTTP.
>
>>
>>> "ought to" is fine with me if you really want to stick with the
>>> non-normative.
>>
>>>>
>>>>> Some of the use-cases I see for this header include out-of-band
>>>>> authentication. If the server is treating the reply as authenticated it
>>>>> may inadvertently include private information in the payload or other
>>>>> headers.
>>>>>
>>>>>
>>>>>
>>>>> Also, Yutaka brought up the issue of association between selected
>>>>> scheme
>>>>> and Authentication-Info contents. I believe this document is the right
>>>>> place to reserve a parameter scheme= which takes the auth-scheme as its
>>>>> value for the purpose in the same way RFC 7235 reserves the realm=
>>>>> parameter for use across schemes.
>>>>
>>>> That was already answered. There can only be one authentication
>>>> happening at a single time (plus one proxy authentication).
>>>
>>> Except in the case above where the D header leaks to B because the C
>>> implementer did not treat it as hop-by-hop. But the spec does not
>>> (currently) say anything about it being different from
>>> Authentication-Info which is end-to-end ... so they were able to
>>> compliantly choose that nasty interpretation.
>>
>> Again, we need to find the right terminology here.
>>
>> As far as I understand proxy auth, it's neither end-to-end (UA to origin
>> server) nor hop-by-hop. I do agree that the description of proxy
>> authentication is weak in 7235, but by all means let's fix it over
>> there, not here.
>
> Which is why I suggested using the RFC 7235 wording. It may not be using
> the term hop-by-hop, but its clear about the properties involved and why.
>
> I dont find the description in RFC 7235 weak. It just does not use a
> term to label the situation where multiple proxy recipients use
> identical credentials.
>
> Amos
>
- Working Group Last Call: draft-ietf-httpbis-auth-… Mark Nottingham
- Re: Working Group Last Call: draft-ietf-httpbis-a… Bjoern Hoehrmann
- Re: Working Group Last Call: draft-ietf-httpbis-a… Amos Jeffries
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Amos Jeffries
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Amos Jeffries
- Re: Working Group Last Call: draft-ietf-httpbis-a… Yutaka OIWA
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Hervé Ruellan
- Re: Working Group Last Call: draft-ietf-httpbis-a… Mark Nottingham
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Mark Nottingham
- Re: Working Group Last Call: draft-ietf-httpbis-a… Yutaka OIWA
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Amos Jeffries
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke
- Re: Working Group Last Call: draft-ietf-httpbis-a… Amos Jeffries
- Re: Working Group Last Call: draft-ietf-httpbis-a… Julian Reschke