Re: draft-ietf-httpbis-http2-01, "4.2.3 Authentication"
Nicolas Mailhot <nicolas.mailhot@laposte.net> Wed, 06 March 2013 13:55 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59DC221F8746 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 6 Mar 2013 05:55:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.825
X-Spam-Level: *
X-Spam-Status: No, score=1.825 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_GOOD_ENF_CREDIT=10.357, RCVD_IN_DNSWL_HI=-8, RCVD_NUMERIC_HELO=2.067]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPG4iJyB9nSG for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 6 Mar 2013 05:55:46 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id C732B21F8740 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 6 Mar 2013 05:55:46 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UDEmq-00053I-IN for ietf-http-wg-dist@listhub.w3.org; Wed, 06 Mar 2013 13:53:40 +0000
Resent-Date: Wed, 06 Mar 2013 13:53:40 +0000
Resent-Message-Id: <E1UDEmq-00053I-IN@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <gix-ietf-http-wg@m.gmane.org>) id 1UDEma-00052Q-RX for ietf-http-wg@listhub.w3.org; Wed, 06 Mar 2013 13:53:24 +0000
Received: from plane.gmane.org ([80.91.229.3]) by maggie.w3.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <gix-ietf-http-wg@m.gmane.org>) id 1UDEmW-0005n8-8B for ietf-http-wg@w3.org; Wed, 06 Mar 2013 13:53:24 +0000
Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from <gix-ietf-http-wg@m.gmane.org>) id 1UDEmS-0004GH-Pl for ietf-http-wg@w3.org; Wed, 06 Mar 2013 14:53:17 +0100
Received: from 192.196.142.21 ([192.196.142.21]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf-http-wg@w3.org>; Wed, 06 Mar 2013 14:53:16 +0100
Received: from nicolas.mailhot by 192.196.142.21 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf-http-wg@w3.org>; Wed, 06 Mar 2013 14:53:16 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: ietf-http-wg@w3.org
From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Wed, 06 Mar 2013 13:52:38 +0000
Lines: 46
Message-ID: <loom.20130306T142826-187@post.gmane.org>
References: <51365743.5030409@gmx.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: sea.gmane.org
User-Agent: Loom/3.14 (http://gmane.org/)
X-Loom-IP: 192.196.142.21 (Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0)
Received-SPF: pass client-ip=80.91.229.3; envelope-from=gix-ietf-http-wg@m.gmane.org; helo=plane.gmane.org
X-W3C-Hub-Spam-Status: No, score=-1.3
X-W3C-Hub-Spam-Report: AWL=-4.433, FREEMAIL_FROM=0.001, FSL_HELO_BARE_IP_2=2.896, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_NUMERIC_HELO=0.865, RP_MATCHES_RCVD=-0.628, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1UDEmW-0005n8-8B 62f4f4f90dd9298d861d2a68319de128
X-Original-To: ietf-http-wg@w3.org
Subject: Re: draft-ietf-httpbis-http2-01, "4.2.3 Authentication"
Archived-At: <http://www.w3.org/mid/loom.20130306T142826-187@post.gmane.org>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/16974
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi, Unless I've missed something, the draft as it stands does not answer the following questions: 1. how an http/2 intermediary is supposed to communicate to the client it requires authentification (regressing from http/1 and error 511), 2. how gateway spoofing is supposed to be detected by the client (I'm ok to id to my hotel wifi portal with the password provided on a card when booking in, not to a random equipment that pretends to be my corp gateway to capture credentials, even if my client is configured to send them automatically) 3. what entry-point is it supposed to provide for this auth (fishing for headers in another data stream is no good) 4. how the authentication is conveyed to this entry-point securely (yes every gateway credential is not a low-security hotel code), and nowhere else (not to other intermediaries, not to the target, just to the entry-point the client intends to reach) 5. how it works with https streams (the hotel may be ok with allowing outbond https, and not wish to read this stream, it will still want you to authentify before and renew auth when your credits have expired. Renewal is hard if you mix separate communication in a single stream and assume that once you've set up a tls tunnel you're done and nothing will change) So by default the current proposal will continue to put everything in-band, as headers that can be read by the wrong party, with no explicit equipment target. Since that's not good enough in real life, if not fixed, it will produce new generations of https MITM-ing & captive portals to force the clients to speak with the authentification gateways. The problem with intermediary auth is not the auth schemes but creating a communication channel between the intermediary and the client to convey the credentials. Surely, HTTP2-FL can do better than this Regards, -- Nicolas Mailhot
- draft-ietf-httpbis-http2-01, "4.2.3 Authenticatio… Julian Reschke
- Re: draft-ietf-httpbis-http2-01, "4.2.3 Authentic… Nicolas Mailhot
- Re: draft-ietf-httpbis-http2-01, "4.2.3 Authentic… Julian Reschke
- Re: draft-ietf-httpbis-http2-01, "4.2.3 Authentic… Nicolas Mailhot