IETF Logo Mail Archive

Re: Working Group Last Call: draft-ietf-httpbis-auth-info

Amos Jeffries <squid3@treenet.co.nz> Wed, 11 February 2015 21:02 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 686A01A7025 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 11 Feb 2015 13:02:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t0zHNgZcoO9Z for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 11 Feb 2015 13:02:49 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C33151A0371 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 11 Feb 2015 13:02:49 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YLeMV-00019y-OQ for ietf-http-wg-dist@listhub.w3.org; Wed, 11 Feb 2015 20:58:19 +0000
Resent-Date: Wed, 11 Feb 2015 20:58:19 +0000
Resent-Message-Id: <E1YLeMV-00019y-OQ@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <squid3@treenet.co.nz>) id 1YLeMN-00019C-AR for ietf-http-wg@listhub.w3.org; Wed, 11 Feb 2015 20:58:11 +0000
Received: from 121-99-228-82.static.orcon.net.nz ([121.99.228.82] helo=treenet.co.nz) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <squid3@treenet.co.nz>) id 1YLeML-0007Py-Dx for ietf-http-wg@w3.org; Wed, 11 Feb 2015 20:58:10 +0000
Received: from [192.168.2.6] (121-99-174-18.bng1.tvc.orcon.net.nz [121.99.174.18]) by treenet.co.nz (Postfix) with ESMTP id 8CFB5E6FA6 for <ietf-http-wg@w3.org>; Thu, 12 Feb 2015 09:57:35 +1300 (NZDT)
Message-ID: <54DBC238.80404@treenet.co.nz>
Date: Thu, 12 Feb 2015 09:57:28 +1300
From: Amos Jeffries <squid3@treenet.co.nz>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: ietf-http-wg@w3.org
References: <0E4872BF-EBCB-42C0-9BF9-8BC179C1BDDA@mnot.net> <54DAB257.5000203@treenet.co.nz> <54DB1630.3040306@gmx.de> <54DB2A89.2010001@treenet.co.nz> <54DB32BB.10609@gmx.de>
In-Reply-To: <54DB32BB.10609@gmx.de>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=121.99.228.82; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-4.4
X-W3C-Hub-Spam-Report: AWL=-2.482, BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TVD_RCVD_IP=0.001
X-W3C-Scan-Sig: maggie.w3.org 1YLeML-0007Py-Dx 800f31cfcc3dde2d187876699de955c2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Working Group Last Call: draft-ietf-httpbis-auth-info
Archived-At: <http://www.w3.org/mid/54DBC238.80404@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/28823
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 11/02/2015 11:45 p.m., Julian Reschke wrote:
> On 2015-02-11 11:10, Amos Jeffries wrote:
>> ...
>> ...
>>>> With mention specifically about how it differs from Authentication-Info
>>>> by being hop-by-hop.
>>>
>>> Hmm, why is it hop-by-hop?
>>
>>
>> First Proxy-Auth* are explicitly hop-by-hop. This not being so violates
>> the principle of least surprise.
>>
>> It would leak the proxies network credentials related data to the client.
>>
>> With result such as; In a proxy chain of A<-B<-C<-D<-E with different
>> authentications happening in the hop D->C and the hop C->B.  If the
>> header was treated as end-to-end D would be participating in the B->C
>> authentication.
> 
> Understood, but that doesn't make it hop-by-hop, but something in
> between, right?

Technically yes. I dont think we need to fix that though. The well
RFC7235 is clear for the proxy-auth headers that each recipient has to
make an explicit choice with them whether to relay, change, or remove
(default).
Since this header is supposed to be a part of the same framework there
should be no issue with clearly giving it the same property. Just as
long as it *is* clear, and not just implied like right now.


> 
>>>> Under security considerations I believe it would be good to mention
>>>> that
>>>> recipients of the Authentication-Info header in any response should
>>>> (ought to or SHOULD?) treat the transaction as if it were authenticated
>>>> even if the RFC7235 headers are not present.
>>>
>>> Why?
>>>
>>> (Remember that the intent of the spec was simply to extract the
>>> definition from RFC 2617; so if we make additional changes they need to
>>> be, well, understood)
>>
>> Information leak vulnerabilities.
> 
> Yes, but why would you send Authentication-Info in a response when
> Authenticate was not present in the request?

If the auth is out-of-band. In the web form payload for example, or TLS
based certificate authentication. This header would make a good binding
between them and HTTP.

> 
>> "ought to" is fine with me if you really want to stick with the
>> non-normative.
> 
>>>
>>>>    Some of the use-cases I see for this header include out-of-band
>>>> authentication. If the server is treating the reply as authenticated it
>>>> may inadvertently include private information in the payload or other
>>>> headers.
>>>>
>>>>
>>>>
>>>> Also, Yutaka brought up the issue of association between selected
>>>> scheme
>>>> and Authentication-Info contents. I believe this document is the right
>>>> place to reserve a parameter scheme= which takes the auth-scheme as its
>>>> value for the purpose in the same way RFC 7235 reserves the realm=
>>>> parameter for use across schemes.
>>>
>>> That was already answered. There can only be one authentication
>>> happening at a single time (plus one proxy authentication).
>>
>> Except in the case above where the D header leaks to B because the C
>> implementer did not treat it as hop-by-hop. But the spec does not
>> (currently) say anything about it being different from
>> Authentication-Info which is end-to-end ... so they were able to
>> compliantly choose that nasty interpretation.
> 
> Again, we need to find the right terminology here.
> 
> As far as I understand proxy auth, it's neither end-to-end (UA to origin
> server) nor hop-by-hop. I do agree that the description of proxy
> authentication is weak in 7235, but by all means let's fix it over
> there, not here.

Which is why I suggested using the RFC 7235 wording. It may not be using
the term hop-by-hop, but its clear about the properties involved and why.

I dont find the description in RFC 7235 weak. It just does not use a
term to label the situation where multiple proxy recipients use
identical credentials.

Amos

v2.39.1 | Report a Bug | By Email | System Status