IETF Logo Mail Archive

Re: HTTP Unprompted Authentication

Ben Schwartz <bemasc@google.com> Tue, 18 October 2022 16:14 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91F06C1524B4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 18 Oct 2022 09:14:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.259
X-Spam-Level:
X-Spam-Status: No, score=-15.259 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3F7ekFTwPuCJ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 18 Oct 2022 09:14:09 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B621C1524CB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 18 Oct 2022 09:13:23 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1okpAn-000u1y-TQ for ietf-http-wg-dist@listhub.w3.org; Tue, 18 Oct 2022 16:10:33 +0000
Resent-Date: Tue, 18 Oct 2022 16:10:33 +0000
Resent-Message-Id: <E1okpAn-000u1y-TQ@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <bemasc@google.com>) id 1okpAl-000u0g-UA for ietf-http-wg@listhub.w3.org; Tue, 18 Oct 2022 16:10:31 +0000
Received: from mail-vk1-xa2e.google.com ([2607:f8b0:4864:20::a2e]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <bemasc@google.com>) id 1okpAk-00FD27-DP for ietf-http-wg@w3.org; Tue, 18 Oct 2022 16:10:31 +0000
Received: by mail-vk1-xa2e.google.com with SMTP id w185so7110272vkb.7 for <ietf-http-wg@w3.org>; Tue, 18 Oct 2022 09:10:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=zrRHz3i+sZyX8y5VVjd0k3PJZtU0b9/YYthqAuQu8ks=; b=RGtGkTiTkEZe++sACr15rbfqa9nJPV+tnff3VRrMbSEVQgpfrJx2KF1AAQXPqDGrKv F9gw8opXAr2WHbY3TmELdtmjZajNkVVMlohHFUvfvVK8NlMN+yYV15vQfU5HCuA8svf1 fapB7cXtNesMpFmUj1spwVZSoX3eRg8ikmHzwwzhVocpCWWOv7i9+icjcnTi8PvOJXY4 rfnhIGz1HLZ0t1CyrdFbQNwqtX97rWEyq+ZhpswBR27f0ISvWIVqRZfYgc9vPSZjWBLQ HgLOWPF1QYphQf3DCSzzdDhIpnNJNYGEaTvqPXfdr3axVshFc7y4iR8jLVkWk0tC24zv u9PA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=zrRHz3i+sZyX8y5VVjd0k3PJZtU0b9/YYthqAuQu8ks=; b=PsBUkA8ItHkeOG55DxQQ2Sxz0ll801BmzprUvgOFzDQV9vKFEypy/sfYPKA2wkedK8 kdp3U5o3HC83M07QAytKxyuqStseeDE1AUDEHMf5HqYrwzXGgxyg5DimAbRMXOov/HaG e5M1EXJH4i3K1gbmPvniWGTDMa33gCf3gu1sNI26RCgA+r+fbbozrk083VP2p5oOLPLi rvNP9y4ePtLsrqacE4eFUPlEBHzt8cHEu5eKbZJWLKIn833JQoS9ASPNdbvLr5QJNUOM usf1PEVMXmICT75TwlGPN2DwQlaUK7l1TcywG462NiKjclFiJ5P/NYirzHCr3dTsJKPH DVhQ==
X-Gm-Message-State: ACrzQf37QJnXZ66FVeahXaVcvfMslfHIy8RwCpuZFccMIJ+uouT4DM7i DY+wYfOPmcGUAiBpMAlubK8tQW8DjjSOVE/AaSJMgQXEztab5EoM
X-Google-Smtp-Source: AMsMyM6DCpQRHwCmMKlEla2s9tu3z/Ztx6NZEvtIgZVWudBiUNRU1kmin+Rzop9ovuI9Vs3PtJCnPnfXVsHM6FbksTQ=
X-Received: by 2002:a1f:9e8f:0:b0:3ab:3b:4c4d with SMTP id h137-20020a1f9e8f000000b003ab003b4c4dmr1851998vke.9.1666109418111; Tue, 18 Oct 2022 09:10:18 -0700 (PDT)
MIME-Version: 1.0
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 18 Oct 2022 12:10:06 -0400
Message-ID: <CAHbrMsCWsLsaNXi4J+DbOvpvjxx8m11F0NpgEeZUY34n89hYtQ@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000000d60c405eb515412"
Received-SPF: pass client-ip=2607:f8b0:4864:20::a2e; envelope-from=bemasc@google.com; helo=mail-vk1-xa2e.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=bemasc@google.com domain=google.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-21.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1okpAk-00FD27-DP f23aac434eb57edddc8f7ae8e8042adf
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP Unprompted Authentication
Archived-At: <https://www.w3.org/mid/CAHbrMsCWsLsaNXi4J+DbOvpvjxx8m11F0NpgEeZUY34n89hYtQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40462
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I support the goals of the Unprompted Authentication draft.  In fact, I'm
so supportive that I recently posted a draft that happens to solve an
overlapping problem in a very different way: "Modernizing HTTP Forward
Proxy Functionality" [1].

To step back: confidential HTTP _resources_ are arguably a solved problem.
We can simply place the resource at an unguessable path (e.g. "capability
URLs" [2]).  The problem mentioned by this draft occurs when the HTTP
service is origin-scoped (e.g. it is not a resource).  The only
non-resource HTTP service that I'm aware of is forward proxy
functionality.  Thus, one way to improve confidentiality of proxies is to
make them path-scoped, and this is what the "Modernizing" draft does.

These proposals are not mutually exclusive.  Path-scoped proxies have other
benefits, and unprompted authentication could be useful for other services
with inflexible paths (e.g. .well-known/ resources).  However, given the
overlapping use cases, these drafts should probably be discussed together.

--Ben

[1]
https://datatracker.ietf.org/doc/draft-schwartz-modern-http-proxies/Modernizing
HTTP Forward Proxy Functionality
[2] https://www.w3.org/TR/capability-urls/

v2.23.0 | Report a Bug | By Email