Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list
Simo Sorce <simo@redhat.com> Tue, 07 February 2023 20:03 UTC
Return-Path: <simo@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83AE7C1524DB for <kitten@ietfa.amsl.com>; Tue, 7 Feb 2023 12:03:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vt7s65mZ0jKc for <kitten@ietfa.amsl.com>; Tue, 7 Feb 2023 12:03:51 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 412B9C1524C8 for <kitten@ietf.org>; Tue, 7 Feb 2023 12:03:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1675800229; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yURaxYmnWzwL0pEXGlNWWbvgBcwJyfkqDLIfIfo6YMk=; b=Q9zHHibC2ISSDGQf3lsieceJ65qYzN+RomKuf1F9EJrRpjxS+mwnXzb43XIB71Fkyfl9sy ihqCa1RymTt/nxzNMx+QdSKQw9tnXHLdN8RpqfEgT0+5ysxjf+Zoo21wET+7HRpxGXWDk+ jPblvm+lhNIoRySPBUGcCLEWejEzbRg=
Received: from mail-qv1-f69.google.com (mail-qv1-f69.google.com [209.85.219.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-645-SH1qfwBHNvKmqnCAIJKnLA-1; Tue, 07 Feb 2023 15:03:48 -0500
X-MC-Unique: SH1qfwBHNvKmqnCAIJKnLA-1
Received: by mail-qv1-f69.google.com with SMTP id j19-20020a056214033300b0056c11dfb0ddso827056qvu.19 for <kitten@ietf.org>; Tue, 07 Feb 2023 12:03:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:user-agent:content-transfer-encoding:organization :references:in-reply-to:date:cc:to:from:subject:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=yURaxYmnWzwL0pEXGlNWWbvgBcwJyfkqDLIfIfo6YMk=; b=M+/VQ3oCVdCcgV8KQl9skIqQNT9v4xz/uIIivJzWA2wB2B/pkOPRpK6nOoieBSKETH /e2SzabWHT1OqXgpfRj//VDUUkta8tCT+y8nGhRXjrfWDa04v874b+1k9tBaE4pcOdz8 KHb/kL/WcA2ypCnTX7Tbne8XiKCFFTryAzSIpdQyzg0A1POUdiaiyltBVF4pU+Yl8K8w g5F97bpBS98nFaK8R6sC9PNBhVEFzd9HX5g1y8+RnVRfsTwWBpEQJLV66rHkoIuANh2v IAMW3h02kbPJ/wmRjM9QBUo3S2H/bo2Qcklc0plabK+uVj+ItwBMP2NcpOCgSLdXK7qF wSUQ==
X-Gm-Message-State: AO0yUKVrIMdn0kAfOJu1Jhr6J803etnM1Xes1MKvQs0sScK58N5cUkVT GZszaOEfLcisbBZJbTUT6k2ZDj2ZMqyiTJOvtPgG5scUXmZRWszRvaZvxom10K0xHNH4E39Lf1H b1h4tytH6wQ6X
X-Received: by 2002:ac8:7d05:0:b0:3b8:6a5d:cd97 with SMTP id g5-20020ac87d05000000b003b86a5dcd97mr7437958qtb.34.1675800227485; Tue, 07 Feb 2023 12:03:47 -0800 (PST)
X-Google-Smtp-Source: AK7set8e33AC0jyJnGzv0UsWmjrHQt+BIVUndOgRogYG5YF497BN8hXvVfNvCKCcx2L37tpdCa3MqA==
X-Received: by 2002:ac8:7d05:0:b0:3b8:6a5d:cd97 with SMTP id g5-20020ac87d05000000b003b86a5dcd97mr7437931qtb.34.1675800227210; Tue, 07 Feb 2023 12:03:47 -0800 (PST)
Received: from 2603-7000-9400-fe80-0000-0000-0000-07a7.res6.spectrum.com (2603-7000-9400-fe80-0000-0000-0000-07a7.res6.spectrum.com. [2603:7000:9400:fe80::7a7]) by smtp.gmail.com with ESMTPSA id g25-20020ac870d9000000b003a7e38055c9sm9895208qtp.63.2023.02.07.12.03.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Feb 2023 12:03:46 -0800 (PST)
Message-ID: <01a7f7acc91b3ac1a865c006f4d883ab38d07178.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Rick van Rein <rick@openfortress.nl>, Russ Allbery <eagle@eyrie.org>
Cc: kitten@ietf.org
Date: Tue, 07 Feb 2023 15:03:46 -0500
In-Reply-To: <20230207104841.GE30583@openfortress.nl>
References: <20230127160101.GB635@openfortress.nl> <048e6943f02302bb5cf7b8c55521931ce3748d30.camel@redhat.com> <20230128215854.629841D6333@pb-smtp20.pobox.com> <87a622tdd1.fsf@hope.eyrie.org> <875ycqtcmd.fsf@hope.eyrie.org> <20230207104841.GE30583@openfortress.nl>
Organization: Red Hat
User-Agent: Evolution 3.46.3 (3.46.3-1.fc37)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/I6Jax0j_5kjnc1xtDbqIHlXE1ZE>
Subject: Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2023 20:03:56 -0000
On Tue, 2023-02-07 at 10:48 +0000, Rick van Rein wrote: > Hello Russ, > > > I think this would work theoretically (at least I don't see why it > > wouldn't), but I'm very curious about how widely this has been tested in > > HTTP scenarios involving round-robin load-balancing. > > No, this has not been tested yet. Not sure it adds much though; if the > mechanism allows a stateless HTTP server then jumping from one to another > does not matter. On another note, other layers tend to face this same > problem and seem to solve it by a consistent client/server connection, > and only use the round-robin part as an initiation rite. > > > Making the client > > replay the state provides enough of a theoretical hook to allow moving an > > in-progress authentication session from one backend server to another, but > > has this been done in practice with Cyrus SASL and similar SASL libraries? > > To do this well, Cyrus SASL leaves a few things to be desired, actually; > namely, a state export/import facility. This is indeed a conflict that we > are aware of -- SASL is stateful and HTTP is stateless. This is the reason > that an earlier attempt to HTTP-SASL did not make it. There is much more > clarity now, with the HTTP Authentication framework being written, and the > answer is bouncing the "s2s" value to allow for a fully stateless server. This requires, in some cases, that the crypto state is fully exportable. Although possible, in many cases this is simply not available, especially when hardware tokens (HSMs, SmartCards, TPMs) are used to deal with the cryptography. (PKCS#11 defines a pair of functions to export/import state but most tokens don't implement it, even software tokens). > > My first reaction is that this is asking a lot of the SASL library on the > > server side to be able to reconstitute and continue a halfway-constructed > > SASL session that was negotiated by a different server, but maybe that > > first reaction is erroneous. > > You are right, this is a new design aspect, and this is why we did not test > on round-robin HTTP servers. I am not sure if it is so difficult to build > into a simpler library that has collected less history, though. SASL can > come along, but some implementations are bound to make an easier link to > HTTP than others. It seem you have a few uses cases in mind, do they all work in a distributed/load balanced environment? Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc
- [kitten] Stating support for HTTP-SASL on the HTT… Rick van Rein
- Re: [kitten] Stating support for HTTP-SASL on the… stef
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Simo Sorce
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Ken Hornstein
- Re: [kitten] Stating support for HTTP-SASL on the… Russ Allbery
- Re: [kitten] Stating support for HTTP-SASL on the… Russ Allbery
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Rick van Rein
- Re: [kitten] Stating support for HTTP-SASL on the… Rick van Rein
- Re: [kitten] Stating support for HTTP-SASL on the… Rick van Rein
- Re: [kitten] Stating support for HTTP-SASL on the… Rick van Rein
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Simo Sorce
- Re: [kitten] Stating support for HTTP-SASL on the… Russ Allbery
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Ken Hornstein
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams