From ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org Fri Feb 24 15:31:56 2023 Return-Path: X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D803C14CE44 for ; Fri, 24 Feb 2023 15:31:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.048 X-Spam-Level: X-Spam-Status: No, score=-5.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=zoho.com Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YxdvvDN5zBMZ for ; Fri, 24 Feb 2023 15:31:52 -0800 (PST) Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4214EC14F744 for ; Fri, 24 Feb 2023 15:31:51 -0800 (PST) Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from ) id 1pVhXO-00BbLU-6b for ietf-http-wg-dist@listhub.w3.org; Fri, 24 Feb 2023 23:31:38 +0000 Resent-Date: Fri, 24 Feb 2023 23:31:38 +0000 Resent-Message-Id: Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1pVhXM-00BbKX-FS for ietf-http-wg@listhub.w3.org; Fri, 24 Feb 2023 23:31:37 +0000 Received: from sender4-pp-o90.zoho.com ([136.143.188.90]) by mimas.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1pVhXL-00D4XK-1y for ietf-http-wg@w3.org; Fri, 24 Feb 2023 23:31:36 +0000 ARC-Seal: i=1; a=rsa-sha256; t=1677281471; cv=none; d=zohomail.com; s=zohoarc; b=gJgSkQMxdf7N+spqz7/MgedWPEFhLTXfjKSaowtYjdTtJks3zpnbHylV4hU7sJsPsPix60nbSE1MxhDFmnCgB+ny4a8nxffIscqRhesPnEJchBQ4cdiRkfyzXwnJoG3vhQrDU+cxT4URY4y5vN7JtRAyHTKqbV5i+qAH14oCZRk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1677281471; h=Content-Type:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=wKofeRrDFwiRCxEJJmahzF1zQ5bk9AuacZwIat7mETY=; b=ZVns9YBnOCwDFcMhJRLQ39+Xn0HrUm7v+ecqMq7GVI9gFzjbJ1k2sxMyPNV8/P+LXsZL2GOE8YBm0r8GXqgHzo5JfT7kl3kCNVUnlllN257Q8EsZg7B7OmREkmuYHhxtFQ9TCPbXu2JEXJpOx5shtSIhp2IERp/xXlkW53Yed9Q= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=zoho.com; spf=pass smtp.mailfrom=mellowmutt@zoho.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1677281471; s=zm2022; d=zoho.com; i=mellowmutt@zoho.com; h=Date:Date:From:From:To:To:Cc:Cc:Message-Id:Message-Id:In-Reply-To:References:Subject:Subject:MIME-Version:Content-Type:Feedback-ID:Reply-To; bh=wKofeRrDFwiRCxEJJmahzF1zQ5bk9AuacZwIat7mETY=; b=LX4KUrXrka19nK5TK3UdpFBnuwM0swOz4TsV3ND1tMiSP+gG/RkDh/w14c+iYv+W 1pSK9C5b4WrCoZCd0pDsT6uwNRtAwjlcPeovP5VMKKiVPPHsGBVuwiSGor9jx+jAeFP 6DJt5OUFOlm64gSWtIhZfZ3fml5Akt60AU6c3yjo= Received: from mail.zoho.com by mx.zohomail.com with SMTP id 1677281471326123.1736985530639; Fri, 24 Feb 2023 15:31:11 -0800 (PST) Received: from [65.117.211.248] by mail.zoho.com with HTTP;Fri, 24 Feb 2023 15:31:11 -0800 (PST) Date: Fri, 24 Feb 2023 15:31:11 -0800 From: Eric J Bowman To: "Christopher Wood" Cc: "mark nottingham" , "http working group" , "tommy pauly" Message-Id: <18685c42b44.e1acca954877.5894602446250292773@zoho.com> In-Reply-To: <466C7100-4FB1-407E-A488-5AE553460C4C@heapingbits.net> References: <6532E43F-74FD-46B4-8D28-9DB03452A689@mnot.net> <466C7100-4FB1-407E-A488-5AE553460C4C@heapingbits.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_12720_1222574198.1677281471300" Importance: Medium User-Agent: Zoho Mail X-Mailer: Zoho Mail Feedback-ID: rr08011228aba8d8d28529e037f7deef26000010f63287ad30d0712c53be8dfd60fc8a3ac912155557c0f37a90:zu080112274271e8d95eef8ec989ab9f7f000078a866e9ee3a019eb914913dfd74ddd2776bfcb1b72bec2657:rf080112328a5d122a4f9148d17c527ae60000aaa6c8df6eaf126440938537f0ceeb1570a91df988161074d4afc5c5eddbcd336554a540:ZohoMail Received-SPF: pass client-ip=136.143.188.90; envelope-from=mellowmutt@zoho.com; helo=sender4-pp-o90.zoho.com X-W3C-Hub-DKIM-Status: validation passed: (address=mellowmutt@zoho.com domain=zoho.com), signature is good X-W3C-Hub-DKIM-Status: validation passed: (address=mellowmutt@zoho.com domain=mellowmutt@zoho.com), signature is good X-W3C-Hub-Spam-Status: No, score=-4.1 X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1 X-W3C-Scan-Sig: mimas.w3.org 1pVhXL-00D4XK-1y bba6a8d0cf32556683f7a5a2369fd0f3 X-Original-To: ietf-http-wg@w3.org Subject: Re: Call for Adoption: HTTP Unprompted Authentication Archived-At: Resent-From: ietf-http-wg@w3.org X-Mailing-List: archive/latest/50749 X-Loop: ietf-http-wg@w3.org Resent-Sender: ietf-http-wg-request@w3.org Precedence: list List-Id: List-Help: List-Post: List-Unsubscribe: ------=_Part_12720_1222574198.1677281471300 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit No offense to Chris, but ugh. Cookies have value, but they're still fundamentally at odds with the architectural style derived from reality. The entire notion of unprompted authentication is a red flag to me, architecturally speaking, especially to support a niche use-case. I don't see this as a "super cookie," but I can't put my finger on why it worries me along those lines, as an end-run around how HTTP Auth "should" work, at least in what's left of my brain. Mainstream or niche, to me, any use-case should conform to... well... my notion of "proper" architecture. See "Minority Report" lol, this is pre-crime... -Eric ---- On Tue, 07 Feb 2023 12:41:02 -0800 Christopher Wood wrote --- I'm supportive of adopting this draft on the basis of the desired use cases. They may be rather niche -- and should likely be added to the draft [0] -- but I understand them to have value. I do have some questions about the technical contents, which I've filed issues to track [1,2,3,4,5]. I'm happy to help seek resolution of those on GitHub. Are there any implementations of this mechanism yet? I would be happy to help provide an implementation of the server piece for interop tests. Best, Chris [0] https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/22 [1] https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/17 [2] https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/18 [3] https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/19 [4] https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/20 [5] https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/21 > On Feb 7, 2023, at 12:58 AM, Mark Nottingham wrote: > > Hello everyone, > > We first discussed this draft at IETF114[1], saw implementation interest at IETF115, [2] and finally had some more list discussion. > > This is a Call for Adoption for: > https://www.ietf.org/archive/id/draft-schinazi-httpbis-unprompted-auth-01.html > > Please indicate (in response to this message) whether you support adoption, and whether you intend to implement. > > The CfA will last for two weeks. > > Cheers, > > > 1. https://httpwg.org/wg-materials/ietf114/minutes.html#transport-auth-david-schinazi > 1. https://httpwg.org/wg-materials/ietf115/minutes.html#unprompted-auth > > -- > Mark Nottingham https://www.mnot.net/ > > ------=_Part_12720_1222574198.1677281471300 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =
No offense to Chris, but ugh. Cookies have value, but the= y're still fundamentally at odds with the architectural style derived from = reality. The entire notion of unprompted authentication is a red flag to me= , architecturally speaking, especially to support a niche use-case.
=
I don't see this as a "super cookie," but I can't put my finger on = why it worries me along those lines, as an end-run around how HTTP Auth "sh= ould" work, at least in what's left of my brain. Mainstream or niche, to me= , any use-case should conform to... well... my notion of "proper" architect= ure. See "Minority Report" lol, this is pre-crime...

-Eric



---- On Tue, 07 Feb 20= 23 12:41:02 -0800 Christopher Wood <caw@heapingbits.net> wrote= ---

I'm supportive of adopting this draft on the basis of the= desired use cases. They may be rather niche -- and should likely be added = to the draft [0] -- but I understand them to have value.

I do have= some questions about the technical contents, which I've filed issues to tr= ack [1,2,3,4,5]. I'm happy to help seek resolution of those on GitHub.
=
Are there any implementations of this mechanism yet? I would be happy = to help provide an implementation of the server piece for interop tests.
Best,
Chris

[0] htt= ps://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/= 22
[1] https://github.com/David= Schinazi/draft-schinazi-httpbis-transport-auth/issues/17
[2] https://github.com/DavidSchinazi/draft-schina= zi-httpbis-transport-auth/issues/18
[3] https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-= auth/issues/19
[4] https://gith= ub.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/20 [5] https://github.com/DavidSchinazi/= draft-schinazi-httpbis-transport-auth/issues/21

> On Feb 7,= 2023, at 12:58 AM, Mark Nottingham <mnot@mnot.net> wrote:
>
> Hello everyo= ne,
>
> We first discussed this draft at IETF114[1], saw imp= lementation interest at IETF115, [2] and finally had some more list discuss= ion.
>
> This is a Call for Adoption for:
> https://www.ietf.org/archive/id/draft-schinazi-http= bis-unprompted-auth-01.html
>
> Please indicate (in respo= nse to this message) whether you support adoption, and whether you intend t= o implement.
>
> The CfA will last for two weeks.
> > Cheers,
>
>
> 1. https://httpwg.org/wg-materials/ietf114/minutes.html#transport-auth= -david-schinazi
> 1. https://httpwg.org/= wg-materials/ietf115/minutes.html#unprompted-auth
>
> -- =
> Mark Nottingham https://www.mnot.net/
>
>




------=_Part_12720_1222574198.1677281471300--