Re: [kitten] Re-authentication
Alexey Melnikov <alexey.melnikov@isode.com> Mon, 30 January 2023 10:36 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C012C152574 for <kitten@ietfa.amsl.com>; Mon, 30 Jan 2023 02:36:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RjHGgYlej6ee for <kitten@ietfa.amsl.com>; Mon, 30 Jan 2023 02:36:28 -0800 (PST)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id A56B0C1524B3 for <kitten@ietf.org>; Mon, 30 Jan 2023 02:36:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1675074987; d=isode.com; s=june2016; i=@isode.com; bh=Lscf05qkKweOJXg6owtmhPYj/usoBd9S2DLfm13sBFk=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=CjRh6OO89V/V/kLNgFTcQft26+rCYpyTNEmuMJhF8Kl7DdYYEflRI2s2OBY1JRgn00wwWP vzkSVNZwQLF3zvr4C2d8o6g/WvIsJQo2tKNP1y9MgtA+NTjBYFOAER2EZiipgr3W0CiTSe J6lpOlGvnYJZFUrsulYmmx+Qs1abp3c=;
Received: from [192.168.1.222] (host31-49-219-7.range31-49.btcentralplus.com [31.49.219.7]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <Y9edqgBqmUFN@waldorf.isode.com>; Mon, 30 Jan 2023 10:36:26 +0000
Message-ID: <d2d8e99c-7d5b-badc-f2a5-ff182c8ee9aa@isode.com>
Date: Mon, 30 Jan 2023 10:36:25 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
To: Matthew Wild <mwild1@gmail.com>, kitten@ietf.org
References: <CAJt9-x6gz+0tqsheAYFZLyERcVZi_rt0HaF0=vPJ5OOiCYHzdA@mail.gmail.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
In-Reply-To: <CAJt9-x6gz+0tqsheAYFZLyERcVZi_rt0HaF0=vPJ5OOiCYHzdA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/KHfGJbKnR3aEgIMGzNgsWeN7AqU>
Subject: Re: [kitten] Re-authentication
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2023 10:36:32 -0000
Hi Matthew, On 29/01/2023 12:33, Matthew Wild wrote: > Hi folks, > > I wondered if anyone is aware of prior work on re-authenticating > existing sessions using SASL? > > Most (all?) SASL-using protocols currently transition from an > unauthenticated to authenticated state via a SASL exchange. > > However, is there any existing protocol that allows repeating SASL > negotiation (e.g. with a different mechanism, different credentials) > within an already-authenticated session? I know of only one protocol that does this: LDAP (version 3). See RFC 4513 for information about LDAP authentication and RFC 4510 for general roadmap of LDAPv3. > With the MFA and FAST stuff recently discussed, and other token > mechanisms such as OAUTHBEARER, some sessions will typically have > reduced permissions. For example, a server may require the client to > authenticate with a password in order to perform certain > administrative tasks relating to the user's account. Therefore we'd > need a way for a token-authed session to upgrade to a password-authed > one. I am curious about signalling mechanism for this. > This could of course be achieved in many protocols by having clients > simply start new sessions, but that can be awkward for a number of > reasons, such as discarding various session-attached state at the > application layer. > > Regards, > Matthew Best Regards, Alexey
- [kitten] Re-authentication Matthew Wild
- Re: [kitten] Re-authentication Alexey Melnikov
- Re: [kitten] Re-authentication Matthew Wild