Re: Client requesting authentication on server & thomson-httpbis-catch
"henry.story@bblfish.net" <henry.story@bblfish.net> Wed, 19 March 2014 14:45 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E611C1A077B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 19 Mar 2014 07:45:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_34=0.6, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uow5cx-RNqLU for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 19 Mar 2014 07:45:05 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 02E521A0775 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 19 Mar 2014 07:45:04 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WQHi9-0004Rz-6i for ietf-http-wg-dist@listhub.w3.org; Wed, 19 Mar 2014 14:43:17 +0000
Resent-Date: Wed, 19 Mar 2014 14:43:17 +0000
Resent-Message-Id: <E1WQHi9-0004Rz-6i@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <henry.story@bblfish.net>) id 1WQHhs-0004Pj-EL for ietf-http-wg@listhub.w3.org; Wed, 19 Mar 2014 14:43:00 +0000
Received: from mail-wg0-f46.google.com ([74.125.82.46]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <henry.story@bblfish.net>) id 1WQHhr-0002Ht-4C for ietf-http-wg@w3.org; Wed, 19 Mar 2014 14:43:00 +0000
Received: by mail-wg0-f46.google.com with SMTP id b13so7274969wgh.29 for <ietf-http-wg@w3.org>; Wed, 19 Mar 2014 07:42:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=6b7vwcQdpUuXspmCED97E3PIf/vK9mW86mBA4+9wPkY=; b=NWoAxeEA/VUMqHaELqPPqDcrmiPqYbiJXCVa+9FLl1DKxZa1q/fkZdcr3bRGY3lREs 8nVQRo0Wm0FnqcQiKbYYb7yBL4WGS74k5z8FEyfsXgVpJ4oXPUGTG+1KaLtlHc5anSs9 nkHjF03X2420r+cOL5Pnw5u+qVu5bwaBZzE9JSZvh7if3WXd8hcZ811nFQw6TAw/X2Pr vM9toop2YYs+rO8CSsZJ1w7HUYLTeReN+ViT3mXHpFfFLBMcWGxoaVaNpIPJfbcySMJo CSLL7J0vqav/ElSbtUvPM9du51KzmMlWF6u8mTsFjrRpR19lYTwrZEHgxkBiM8XgQQ8S +/Ig==
X-Gm-Message-State: ALoCoQmnfeSBjs9wv0GSDqTmo8rWZLBPUF7wmen5Sp6PDht/V53LaavwDONUidiGyyPdTTrIekXD
X-Received: by 10.180.19.138 with SMTP id f10mr19580200wie.11.1395240152218; Wed, 19 Mar 2014 07:42:32 -0700 (PDT)
Received: from [192.168.1.10] (AAubervilliers-651-1-124-48.w86-198.abo.wanadoo.fr. [86.198.39.48]) by mx.google.com with ESMTPSA id c7sm12246429wjf.19.2014.03.19.07.42.30 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 19 Mar 2014 07:42:31 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: "henry.story@bblfish.net" <henry.story@bblfish.net>
In-Reply-To: <EA2F3433-23B1-40A4-8A5B-943FDFEEAB6C@bblfish.net>
Date: Wed, 19 Mar 2014 15:42:27 +0100
Cc: Martin Thomson <martin.thomson@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <74632FC5-6250-45B4-8A90-E280A96423B6@bblfish.net>
References: <EA2F3433-23B1-40A4-8A5B-943FDFEEAB6C@bblfish.net>
To: HTTP Working Group <ietf-http-wg@w3.org>
X-Mailer: Apple Mail (2.1874)
Received-SPF: none client-ip=74.125.82.46; envelope-from=henry.story@bblfish.net; helo=mail-wg0-f46.google.com
X-W3C-Hub-Spam-Status: No, score=-3.8
X-W3C-Hub-Spam-Report: AWL=-3.060, RCVD_IN_DNSWL_LOW=-0.7
X-W3C-Scan-Sig: lisa.w3.org 1WQHhr-0002Ht-4C 831f3de0341f1e6d3e6020546a1f6aee
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client requesting authentication on server & thomson-httpbis-catch
Archived-At: <http://www.w3.org/mid/74632FC5-6250-45B4-8A90-E280A96423B6@bblfish.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/22747
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 18 Mar 2014, at 19:11, henry.story@bblfish.net wrote: > Hi, > > We have a problem that is somewhat the opposite of the > one described by Martin Thomson recently under draft-thomson-httpbis-catch-00 [1] > though we could make use of it. > > We want to deploy client authentication using TLS now [0], with browsers and clients > as they are - that is we cannot wait for TLS1.3, though we look forward to it and > improvements such as draft-thomson-tls-care [3] > > Our problem is that we have resources that can return different information > (header or body) depending on the authentication level. Consider for example just > the Allow: header. If a user is not authenticated we return the methods allowed for > an anonymous user. > > $ curl -I -k https://bblfish.stample.io/card > HTTP/1.1 200 OK > Access-Control-Allow-Origin: * > Allow: OPTIONS, GET, HEAD > Content-Type: text/turtle > Accept-Patch: application/sparql-update > Link: <card.acl>; rel=acl, <http://www.w3.org/ns/ldp#Resource>; rel=type > > ( Following the acls could let a more intelligent user agent know what rights > it may have as different users, but not as current browsers are set up [2] ) > > A server could use the thomson-httpbis-catch WWW-Authenticate header to let > the client know that authenticated users could do something more if it > authenticated. Perhaps like this: > > $ curl -I -k https://bblfish.stample.io/card > HTTP/1.1 200 OK > Access-Control-Allow-Origin: * > Allow: OPTIONS, GET, HEAD > WWW-Authenticate: Certificate > Content-Type: text/turtle > Accept-Patch: application/sparql-update > Link: <card.acl>; rel=acl, <http://www.w3.org/ns/ldp#Resource>; rel=type > > But now how does the client authenticate with TLS in the current browsers? > We don't want the client to do a PUT or a POST or a DELETE on the resource > just to do something that it does not have access to. > > > There seem to be two choices here: > > 1) to have an authentication header that the client could add, > to ask the server to authenticate it using TLS client certificates. Perhaps > a client could do > > GET /card HTTP/1.1 > Auth: Certificate > ... > > This would be the equivalent in HTTP of what Martin Thomson proposed at the TLS > level in his "Client Authentication Request Extension for (D)TLS" RFC [3] . So presumably here one could extend the current client "Authorization" header to something like Authorization: Certificate So I see that new schemes can be registered at http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-26#section-5.1.2 https://www.ietf.org/rfc/rfc2617.txt This does require server side TLS renegotiation to work, but that's where we are at present. > 2) For the server to publish a link relation to a authentication resource. > Perhaps with a Link: rel=authn > > $ curl -I -k https://bblfish.stample.io/card > HTTP/1.1 200 OK > Access-Control-Allow-Origin: * > Allow: OPTIONS, GET, HEAD > WWW-Authenticate: Certificate > Content-Type: text/turtle > Accept-Patch: application/sparql-update > Link: <card.acl>; rel=acl, <http://www.w3.org/ns/ldp#Resource>; rel=type > Link: </login>; rel=authn > > Perhaps for TLS renegotiation a more specific rel=authn-tls would > be useful. (It's not sure if this answer still needs the WWW-Authenticate: Certificate > header ). > > A lot of things are moving in HTTP, so I may have missed the right tool > for the job. So the question should be: why would one need the "Authorization: Certificate" if one has the rel=authn, or rel=authn-tls Link ? Remembering that servers can also be clients ( we are building linked data crawlers that need to jump very often across servers all over the internet ), the non-web browser client could follow policies set by a user as to which sites are ok to authenticate to, and avoid having to make extra authentication requests. It also would help servers know when they can do a TLS renegotiation cleanly. For some reason many browsers ( not Firefox or Chrome ) create an ugly error page if the authentication fails even when the server is set up in WANT mode ( Ie. in Chrome or Safari if the client does not send a certificate the server can still return a valid HTTP response with perhaps a 400 code ). A server receiving this certificate would at least know that the client can be authenticated with a certificate here, and so initiate renegotiation. ( This could even be useful for JS code too, though things get complex with CORS there ). As I understand for HTTP2 this won't do, because TLS renegotation creates issues in SPDY. > > Henry > > [0] Using http://www.w3.org/2005/Incubator/webid/spec/ WebID over TLS > [1] http://datatracker.ietf.org/doc/draft-thomson-httpbis-catch/ > [2] A client could follow the card.acl resource to find out what it is allowed to > do if it is logged in [2], though this would not be too much help for Web Browsers > as these do not necessarily know what their identities are - they can't for > example access the Certificates in their key store - so the JavaScript would have > difficulty finding out what group it belongs to. Note: The acl link is defined > in the Web Access Control page of > http://www.w3.org/2005/Incubator/webid/spec/ > ( it needs to be standardised ) > [3] http://datatracker.ietf.org/doc/draft-thomson-tls-care/ > > > > Social Web Architect > http://bblfish.net/ > Social Web Architect http://bblfish.net/
- Re: Client requesting authentication on server & … henry.story@bblfish.net
- Client requesting authentication on server & thom… henry.story@bblfish.net
- Re: Client requesting authentication on server & … Mark Nottingham
- Re: Client requesting authentication on server & … henry.story@bblfish.net
- Re: Client requesting authentication on server & … Mark Nottingham
- Re: Client requesting authentication on server & … Amos Jeffries