IETF Logo Mail Archive

Re: Client requesting authentication on server & thomson-httpbis-catch

"henry.story@bblfish.net" <henry.story@bblfish.net> Wed, 19 March 2014 14:45 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E611C1A077B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 19 Mar 2014 07:45:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_34=0.6, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uow5cx-RNqLU for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 19 Mar 2014 07:45:05 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 02E521A0775 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 19 Mar 2014 07:45:04 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WQHi9-0004Rz-6i for ietf-http-wg-dist@listhub.w3.org; Wed, 19 Mar 2014 14:43:17 +0000
Resent-Date: Wed, 19 Mar 2014 14:43:17 +0000
Resent-Message-Id: <E1WQHi9-0004Rz-6i@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <henry.story@bblfish.net>) id 1WQHhs-0004Pj-EL for ietf-http-wg@listhub.w3.org; Wed, 19 Mar 2014 14:43:00 +0000
Received: from mail-wg0-f46.google.com ([74.125.82.46]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <henry.story@bblfish.net>) id 1WQHhr-0002Ht-4C for ietf-http-wg@w3.org; Wed, 19 Mar 2014 14:43:00 +0000
Received: by mail-wg0-f46.google.com with SMTP id b13so7274969wgh.29 for <ietf-http-wg@w3.org>; Wed, 19 Mar 2014 07:42:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=6b7vwcQdpUuXspmCED97E3PIf/vK9mW86mBA4+9wPkY=; b=NWoAxeEA/VUMqHaELqPPqDcrmiPqYbiJXCVa+9FLl1DKxZa1q/fkZdcr3bRGY3lREs 8nVQRo0Wm0FnqcQiKbYYb7yBL4WGS74k5z8FEyfsXgVpJ4oXPUGTG+1KaLtlHc5anSs9 nkHjF03X2420r+cOL5Pnw5u+qVu5bwaBZzE9JSZvh7if3WXd8hcZ811nFQw6TAw/X2Pr vM9toop2YYs+rO8CSsZJ1w7HUYLTeReN+ViT3mXHpFfFLBMcWGxoaVaNpIPJfbcySMJo CSLL7J0vqav/ElSbtUvPM9du51KzmMlWF6u8mTsFjrRpR19lYTwrZEHgxkBiM8XgQQ8S +/Ig==
X-Gm-Message-State: ALoCoQmnfeSBjs9wv0GSDqTmo8rWZLBPUF7wmen5Sp6PDht/V53LaavwDONUidiGyyPdTTrIekXD
X-Received: by 10.180.19.138 with SMTP id f10mr19580200wie.11.1395240152218; Wed, 19 Mar 2014 07:42:32 -0700 (PDT)
Received: from [192.168.1.10] (AAubervilliers-651-1-124-48.w86-198.abo.wanadoo.fr. [86.198.39.48]) by mx.google.com with ESMTPSA id c7sm12246429wjf.19.2014.03.19.07.42.30 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 19 Mar 2014 07:42:31 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: "henry.story@bblfish.net" <henry.story@bblfish.net>
In-Reply-To: <EA2F3433-23B1-40A4-8A5B-943FDFEEAB6C@bblfish.net>
Date: Wed, 19 Mar 2014 15:42:27 +0100
Cc: Martin Thomson <martin.thomson@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <74632FC5-6250-45B4-8A90-E280A96423B6@bblfish.net>
References: <EA2F3433-23B1-40A4-8A5B-943FDFEEAB6C@bblfish.net>
To: HTTP Working Group <ietf-http-wg@w3.org>
X-Mailer: Apple Mail (2.1874)
Received-SPF: none client-ip=74.125.82.46; envelope-from=henry.story@bblfish.net; helo=mail-wg0-f46.google.com
X-W3C-Hub-Spam-Status: No, score=-3.8
X-W3C-Hub-Spam-Report: AWL=-3.060, RCVD_IN_DNSWL_LOW=-0.7
X-W3C-Scan-Sig: lisa.w3.org 1WQHhr-0002Ht-4C 831f3de0341f1e6d3e6020546a1f6aee
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client requesting authentication on server & thomson-httpbis-catch
Archived-At: <http://www.w3.org/mid/74632FC5-6250-45B4-8A90-E280A96423B6@bblfish.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/22747
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 18 Mar 2014, at 19:11, henry.story@bblfish.net wrote:

> Hi,
> 
>    We have a problem that is somewhat the opposite of the
> one described by Martin Thomson recently under draft-thomson-httpbis-catch-00 [1]
> though we could make use of it.
> 
> We want to deploy client authentication using TLS now [0], with browsers and clients
> as they are - that is we cannot wait for TLS1.3, though we look forward to it and
> improvements such as draft-thomson-tls-care [3]
> 
> Our problem is that we have resources that can return different information
> (header or body) depending on the authentication level. Consider for example just
> the Allow: header. If a user is not authenticated we return the methods allowed for
> an anonymous user.
> 
> $ curl -I -k https://bblfish.stample.io/card
> HTTP/1.1 200 OK
> Access-Control-Allow-Origin: *
> Allow: OPTIONS, GET, HEAD
> Content-Type: text/turtle
> Accept-Patch: application/sparql-update
> Link: <card.acl>; rel=acl, <http://www.w3.org/ns/ldp#Resource>; rel=type
> 
> ( Following the acls could let a more intelligent user agent know what rights 
>  it may have as different users, but not as current browsers are set up [2] )
> 
> A server could use the thomson-httpbis-catch WWW-Authenticate header to let 
> the client know that authenticated users could do something more if it 
> authenticated. Perhaps like this:
> 
> $ curl -I -k https://bblfish.stample.io/card
> HTTP/1.1 200 OK
> Access-Control-Allow-Origin: *
> Allow: OPTIONS, GET, HEAD
> WWW-Authenticate: Certificate
> Content-Type: text/turtle
> Accept-Patch: application/sparql-update
> Link: <card.acl>; rel=acl, <http://www.w3.org/ns/ldp#Resource>; rel=type 
> 
> But now how does the client authenticate with TLS in the current browsers?
> We don't want the client to do a PUT or a POST or a DELETE on the resource
> just to do something that it does not have access to. 
> 
> 
> There seem to be two choices here:
> 
> 1) to have an authentication header that the client could add,
>   to ask the server to authenticate it using TLS client certificates. Perhaps
>   a client could do 
> 
>   GET /card HTTP/1.1
>   Auth: Certificate
>   ...
> 
>  This would be the equivalent in HTTP of what Martin Thomson proposed at the TLS
>  level in his "Client Authentication Request Extension for (D)TLS" RFC [3] . 

So presumably here one could extend the current client "Authorization" header to 
something like 

   Authorization: Certificate

So I see that new schemes can be registered at

   http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-26#section-5.1.2
   https://www.ietf.org/rfc/rfc2617.txt

This does require server side TLS renegotiation to work, but that's where we are at
present.


>  2) For the server to publish a link relation to a authentication resource.
>   Perhaps with a Link: rel=authn
> 
> $ curl -I -k https://bblfish.stample.io/card
> HTTP/1.1 200 OK
> Access-Control-Allow-Origin: *
> Allow: OPTIONS, GET, HEAD
> WWW-Authenticate: Certificate
> Content-Type: text/turtle
> Accept-Patch: application/sparql-update
> Link: <card.acl>; rel=acl, <http://www.w3.org/ns/ldp#Resource>; rel=type 
> Link: </login>; rel=authn
> 
>   Perhaps for TLS renegotiation a more specific rel=authn-tls would 
> be useful. (It's not sure if this answer still needs the WWW-Authenticate: Certificate 
> header ). 
> 
>   A lot of things are moving in HTTP, so I may have missed the right tool 
> for the job.

So the question should be: why would one need the "Authorization: Certificate"
if one has the rel=authn, or rel=authn-tls Link ? 

Remembering that servers can also be clients ( we are building linked data crawlers
that need to jump very often across servers all over the internet ), the non-web
browser client could follow policies set by a user as to which sites are ok
to authenticate to, and avoid having to make extra authentication requests.

It also would help servers know when they can do a TLS renegotiation cleanly.
For some reason many browsers ( not Firefox or Chrome ) create an ugly error
page if the authentication fails even when the server is set up in WANT mode
( Ie. in Chrome or Safari if the client does not send a certificate the 
server can still return a valid HTTP response with perhaps a 400 code ). A 
server receiving this certificate would at least know that the client can be
authenticated with a certificate here, and so initiate renegotiation.
( This could even be useful for JS code too, though things get complex with CORS 
there ).

As I understand for HTTP2 this won't do, because TLS renegotation creates issues
in SPDY.


> 
> Henry
> 
> [0] Using http://www.w3.org/2005/Incubator/webid/spec/ WebID over TLS
> [1] http://datatracker.ietf.org/doc/draft-thomson-httpbis-catch/
> [2]  A client could follow the card.acl resource to find out what it is allowed to
> do if it is logged in [2], though this would not be too much help for Web Browsers
> as these do not necessarily know what their identities are - they can't for
> example access the Certificates in their key store - so the JavaScript would have
> difficulty finding out what group it belongs to.  Note: The acl link is defined 
> in the Web Access Control page of 
>     http://www.w3.org/2005/Incubator/webid/spec/
> ( it needs to be standardised )
> [3] http://datatracker.ietf.org/doc/draft-thomson-tls-care/
> 
> 
> 
> Social Web Architect
> http://bblfish.net/
> 

Social Web Architect
http://bblfish.net/

v2.23.0 | Report a Bug | By Email