[kitten] Re-authentication
Matthew Wild <mwild1@gmail.com> Sun, 29 January 2023 12:34 UTC
Return-Path: <mwild1@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BBA1C14F720 for <kitten@ietfa.amsl.com>; Sun, 29 Jan 2023 04:34:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rQBLbzz3vII2 for <kitten@ietfa.amsl.com>; Sun, 29 Jan 2023 04:33:59 -0800 (PST)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE0C1C14EAA3 for <kitten@ietf.org>; Sun, 29 Jan 2023 04:33:59 -0800 (PST)
Received: by mail-oi1-x233.google.com with SMTP id p133so7939647oig.8 for <kitten@ietf.org>; Sun, 29 Jan 2023 04:33:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Jv+P3QchH0Gbn6wH8Ock4rC7DmCb1Apw5EOyawwkULE=; b=Z3rWCo+3TH+CERgFQDwXQMMwHy6V8/msB6TRj9Xdh1uDKzd23H+IaERCpMiyymlYPe 312U0RuGPbDkOhfaZOvhqnDRQsBPkpyO80R87Vh8m8DD4Z+CoIZRlPSwNoIUL6Z0XvH8 lisqgl5HZ38CAuVWNSvUoodlvuSlotr+AOms436Sp1WaKal7H9dyXJcEcerDLlVZWSPP uoZrNXsMyYWSYa7tV2ZO1qC/pLN6mWZ1vYk23ErlUoL/c/MTqix7k3RRU/5yox5SxtEj PFWHcSDSId478E3kieg8MRIUNMOrJ/xIZXN3SQq3kb7z5Y5nyL681ThHX4rwQTqUTfsE 4r7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Jv+P3QchH0Gbn6wH8Ock4rC7DmCb1Apw5EOyawwkULE=; b=p5JnNCc12150TO4Gpl/CWz8/0tV50653ySbv80o5bgeYxeMf/GvPAIdzSVPopg+sMB 1COatXJaXZSkjqbKlAppdO0012HyVmOs3EMbl8qvhCQM45D1TwIhIfyk6YC8hjE4COFL ZZo2NI0Mz9FvyYiF/yZA5OokAy47zv5/MzLyFdYHELZRMft7LTMCJF8Er2g2zQ1SMylJ cvms9a6CxiT0VMztJ8LcYWLdNOIzS/JWGS7HuNKjG0Q5GtBnW8ja3VG2Afq+YyOQuA3O rkHrNSWMuN4s6ZnFsyrlKclyw4s9CvIoVDjADe/jpuvi9e5dEsUZRTpkdOtP97vnCTR3 /L4g==
X-Gm-Message-State: AO0yUKVu3yeKMMsD2NI/y14RETkYOZnbYIEqVvcumEO+adb+9Yy/NCnk TcMQl9/jo2q/SdOI+DcG7jFD0eHGPe5K6NVJWLxZGmF7
X-Google-Smtp-Source: AK7set/ZaajbS7ngL4H+QuhzQZtza9LxxjWAdUCpGj6wsaLk23DvPsmtRHnNt7NOkgLR2ZE477H8DXUNCrSZjgyZrco=
X-Received: by 2002:aca:1104:0:b0:378:14a3:50cf with SMTP id 4-20020aca1104000000b0037814a350cfmr232240oir.71.1674995638644; Sun, 29 Jan 2023 04:33:58 -0800 (PST)
MIME-Version: 1.0
From: Matthew Wild <mwild1@gmail.com>
Date: Sun, 29 Jan 2023 12:33:47 +0000
Message-ID: <CAJt9-x6gz+0tqsheAYFZLyERcVZi_rt0HaF0=vPJ5OOiCYHzdA@mail.gmail.com>
To: kitten@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/6wDVImc2U92KFNMi3nFlNucDqQQ>
Subject: [kitten] Re-authentication
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jan 2023 12:34:04 -0000
Hi folks, I wondered if anyone is aware of prior work on re-authenticating existing sessions using SASL? Most (all?) SASL-using protocols currently transition from an unauthenticated to authenticated state via a SASL exchange. However, is there any existing protocol that allows repeating SASL negotiation (e.g. with a different mechanism, different credentials) within an already-authenticated session? With the MFA and FAST stuff recently discussed, and other token mechanisms such as OAUTHBEARER, some sessions will typically have reduced permissions. For example, a server may require the client to authenticate with a password in order to perform certain administrative tasks relating to the user's account. Therefore we'd need a way for a token-authed session to upgrade to a password-authed one. This could of course be achieved in many protocols by having clients simply start new sessions, but that can be awkward for a number of reasons, such as discarding various session-attached state at the application layer. Regards, Matthew
- [kitten] Re-authentication Matthew Wild
- Re: [kitten] Re-authentication Alexey Melnikov
- Re: [kitten] Re-authentication Matthew Wild