IETF Logo Mail Archive

Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list

Nico Williams <nico@cryptonector.com> Fri, 27 January 2023 17:48 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0617AC14CE39 for <kitten@ietfa.amsl.com>; Fri, 27 Jan 2023 09:48:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Q62uSY1Hzwb for <kitten@ietfa.amsl.com>; Fri, 27 Jan 2023 09:48:03 -0800 (PST)
Received: from bumble.birch.relay.mailchannels.net (bumble.birch.relay.mailchannels.net [23.83.209.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B2A6C14CF13 for <kitten@ietf.org>; Fri, 27 Jan 2023 09:48:03 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 9D3AB14188A; Fri, 27 Jan 2023 17:48:02 +0000 (UTC)
Received: from pdx1-sub0-mail-a210.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 2C6B8141838; Fri, 27 Jan 2023 17:48:02 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1674841682; a=rsa-sha256; cv=none; b=6qz4tt2nftF6RcXF/OqP4MlUkbV0/ogY1lFkoKAJNph9H6D8eLhFZ2oU5jVQCFeg3TMRK0 YnKAZPebX3uA301BuUHu/EWzWInz+xKCYosu2JcqBp5FiNoA1hFysgrrZF2EqkQwNFs49H +9HVjazcgpKgXqmDFhBh9MywHWuncnHVgHh/+LajmYpngVr0Le98lSflT/V+2QFyTGHMZw +QlRckOVAvePymrmp1YQ/P2qn1raqWmh8DEKSiCb9E/dmm0pfEP3Akq5oI/q4/YvKjDhcr /FJTbb/16M5FYiP+hn1N6j/tRmzQHEE5nqM/YAwUBmjCVO7/yoXIjCRvrpt7aQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1674841682; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=YjeH/2Y7Hdq0DbOXIsncnA4c8eKBHwMIz5cPbWHguy8=; b=dsYQpP2pwz71pjBLDUWzQhLe4vuhu3wNvNdSGNGu2VQpXxYRP2Zpn0bwDdTYF+QOS/g3eJ F+ghv3kq/RXLW+MIU9QOdXiP+ZXsd7q2Brtpsr6bWzumwXK84ZY6EKbJZWkhFI5YoB98fv xM3GglmSOssaCvBJWd71ULelcx1St52JjPanZl1+Lb4YGgJVRBPL1OB2xEEsO6qbX4cEMo XCYHoWF9MCnsun9zxNRavnCEYKsmUK5uU/v/RQn151C+yjha/DQ8HiAgTH1AC5dWSXXalY XkEs9lI7f+jZ0ZMSP8l8ERpXrhowuG6DyCHVxwjbpLWhCN5FoNImOP2Y7dGYUA==
ARC-Authentication-Results: i=1; rspamd-544f66f495-nv6sf; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Illegal-Obese: 4aeb5af17f5164ea_1674841682437_3852836532
X-MC-Loop-Signature: 1674841682437:360818306
X-MC-Ingress-Time: 1674841682437
Received: from pdx1-sub0-mail-a210.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.107.134.79 (trex/6.7.1); Fri, 27 Jan 2023 17:48:02 +0000
Received: from gmail.com (cpe-66-25-27-1.tx.res.rr.com [66.25.27.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a210.dreamhost.com (Postfix) with ESMTPSA id 4P3Q5s3KpHz10; Fri, 27 Jan 2023 09:48:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1674841681; bh=YjeH/2Y7Hdq0DbOXIsncnA4c8eKBHwMIz5cPbWHguy8=; h=Date:From:To:Cc:Subject:Content-Type; b=dee842lj7ucrTaaSolissm5Wrgs7hccC7mpM6pM4nIa0Ls+PgJoUtvnNqVzlhPfjd mlPK8dEOzu8u6xnMiXEiaDINEvsO5RxVi3ZhdgaLmsvpNJ81XD06+jBgFSqJR+R4Ga UJjRfBtXO0ELYVAkjes4mvgK9n252TZjA0a8zfFFZEpk4wybYs67FRkl4SL3NfP8wq tXfWfxrdZxA3W5MEExRc260eX52F22JsAppHU8z1c9CcqoSdb3eiLmeELopNl96OHT SNLau2Uz0OQm86tFfuyYT9bz9PgxHs2aZNG4eK18Qi/qk6ImS2TFdDk9oMSihH0DLD ZM0q8Epu+fyLA==
Date: Fri, 27 Jan 2023 11:47:58 -0600
From: Nico Williams <nico@cryptonector.com>
To: Rick van Rein <rick@openfortress.nl>
Cc: kitten@ietf.org
Message-ID: <Y9QOTlS5Pmv47brx@gmail.com>
References: <20230127160101.GB635@openfortress.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20230127160101.GB635@openfortress.nl>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/DpjaV4VUW2duW8c2e0qZv_hxLzc>
Subject: Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jan 2023 17:48:08 -0000

On Fri, Jan 27, 2023 at 04:01:01PM +0000, Rick van Rein wrote:
> The HTTP WG is considering our embedding of SASL in HTTP.  I need
> IETF consensus to be permitted to say "Authorization: SASL", so
> to claim the "SASL" name.

You don't need IETF consensus for this, and if you did this wouldn't be
the correct list.

The IANA HTTP Authentication Scheme registry requires only Expert Review
to register new schemes:

https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml

That said, I don't recommend this, and if I were the expert assigned to
review I think I would reject this.  My rationale is that you'd end up
with a two-layer negotiation, and we've learned that two-layer
negotiations are problematic.  Instead every SASL mechanism you care
about should be an HTTP authentication scheme, then HTTP functions as
the one negotiation layer.  Though, even then we'd need enough metadata
in the WWW-Authenticate: to help clients pick a scheme correctly.

Also, more generally, I think HTTP authentication schemes are dead.
It's too hard to use them generally, especially new ones.

IMO what's really needed is a generic way to do redirect-for-
authentication-and-redirect-back-with-a-token.  I think I've an I-D
about that somewhere.

Basically, the idea is that you could get a 401 w/ a Location: header or
a 3xx with a WWW-Authenticate: header that functions as a clue that the
Location: is for authentication and that: a) if the user-agent trusts
the Location: for authentication then the user-agent should follow the
redirect, b) for all redirects in the chain the user-agent should copy
any Authroization: headers from _responses_ to redirected requests.
This would allow any half-round-trip schemes to be used w/o having to
play games with URI q-params like SAML and OIDC do.

The interesting observation here is that HTTP (going back all the way to
HTTP/0.9) forbids the copying of any 3xx response headers to redirected
requests, but for authentication-related headers this seems silly as
copying those around seems perfect for: a) completing authentication in
whatever way the origin wants regardless of user-agent support, b)
passing state between the origin and the IdPs (using cryptographic
tokens, naturally).

In fact, the PowerShell HTTP CLI has a command-line option for copying
the Authorization: header from 3xx responses to redirected requests!
We should explore making that the default for all user-agents.

Nico
--

v2.23.0 | Report a Bug | By Email