IETF Logo Mail Archive

Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list

Nico Williams <nico@cryptonector.com> Sat, 28 January 2023 06:51 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BE52C1524AE for <kitten@ietfa.amsl.com>; Fri, 27 Jan 2023 22:51:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ycA6ok4ASQ_C for <kitten@ietfa.amsl.com>; Fri, 27 Jan 2023 22:51:47 -0800 (PST)
Received: from weasel.tulip.relay.mailchannels.net (weasel.tulip.relay.mailchannels.net [23.83.218.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F5DEC1522D9 for <kitten@ietf.org>; Fri, 27 Jan 2023 22:51:45 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id B96AE5C12C3; Sat, 28 Jan 2023 06:51:41 +0000 (UTC)
Received: from pdx1-sub0-mail-a297.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 468795C0E2E; Sat, 28 Jan 2023 06:51:41 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1674888701; a=rsa-sha256; cv=none; b=aHDljHB6BWxE+1LJytYnhyWKkG8xUrRcBj7dMNV3UnQ2vavrPoXY0Ls2F492rmJtZ+inoP XgKfBdhuHv/Jd9+F+DVS1J62/zdNB49eyvrlqrEJTrCgf0+pyXJaoxrN3dN/Qh3YmejvAZ Ebkw6+VGTirhN1OP9BV2U62w1rzLds6sjnwY4GHt6oD3OAA4a3PfS2nBWBfvhE/FkpPdDr tIXxVhol0Qg4JlPXQLd3U961OgHLDTBAHn23dNcE+KwaP9mHNS++8S67AdqhOtIdYA8iiA xm7e82bTt5pJw5PROwKXncQAMuT9hn/YFWohhdGx/9JmwyMVsIozMkkBpEZHJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1674888701; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=A9wvc6AsUtVpotvIqi9Ai4DISCgI1vPlFFqq6OPoY/M=; b=5LQw9HFCKmA5kXaieijpqxco/k4fLV4YgT95Or/gTd+5hJgMQs/YMvUfBT9t0gMakb7t3S LDLWGgJ6NWjuz3xOCva/hyYtQ5ODIPaNxaLiQEP9kRxWXHiCiqSH2D8RqkGdhZ1uERQ7cS U/o1QqwsnwgmQ7rbtmXeB92LaBSbjmbKyai4VU5lDW68sxKUPyVU4Jk0KWaVCtrs88hqdy CJXj5nhGnMQ4SFZnXnwECIYFv//xmhR2KjekxJN6Me3blbXo6PPrUvD+F7vjI5hDiF6BA9 H2SORFuFWLSK2u5WAWGnrwP8EuL5SjCNJ47oA7BvYGjLxcVfYV7vWTyA984BSg==
ARC-Authentication-Results: i=1; rspamd-544f66f495-8bgmt; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Slimy-Cellar: 3f0809b146796a2d_1674888701539_3502435835
X-MC-Loop-Signature: 1674888701539:715140544
X-MC-Ingress-Time: 1674888701539
Received: from pdx1-sub0-mail-a297.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.109.138.31 (trex/6.7.1); Sat, 28 Jan 2023 06:51:41 +0000
Received: from gmail.com (cpe-66-25-27-1.tx.res.rr.com [66.25.27.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a297.dreamhost.com (Postfix) with ESMTPSA id 4P3lV44PXMz8l; Fri, 27 Jan 2023 22:51:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1674888701; bh=A9wvc6AsUtVpotvIqi9Ai4DISCgI1vPlFFqq6OPoY/M=; h=Date:From:To:Cc:Subject:Content-Type; b=pdnOVeNVovJr2/LpddF/YgZmjsF+2PUDHyxwrH9fMrldqsivICv9y5kUXgX9qlRc+ ga1dvNLmyEfxf7ET885O3yohMw4F00wjnsZ5hDuzY1s4WXvnewnpH8k24Z/sP2Fa+k VOjbwvDHhartSOR0RPXJg/Yp9A+WbQRtnvtwD7VsywxP1PiIQbDon/L+SzVOQThLm7 L/QmayBjbYjIZpz6SkCQ3Ilz4IUa2Y/B8R0cQiTQ4AOPCkOhqyLJsh3ig9Vl3Hh7jG j+8lq4hkbFcVDjVWb1Z58NrqCgeeq4fxzP8SJFqkmHcFNsbZkBLQ3JUIh0Z6GXZ/8L RsAYvebaOMQuQ==
Date: Sat, 28 Jan 2023 00:51:38 -0600
From: Nico Williams <nico@cryptonector.com>
To: Simo Sorce <simo@redhat.com>
Cc: Rick van Rein <rick@openfortress.nl>, kitten@ietf.org
Message-ID: <Y9TF+tM+J07Vbcrn@gmail.com>
References: <20230127160101.GB635@openfortress.nl> <048e6943f02302bb5cf7b8c55521931ce3748d30.camel@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <048e6943f02302bb5cf7b8c55521931ce3748d30.camel@redhat.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/KX4QwiBdOfgPNWrkc3KcvpWK_0Q>
Subject: Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jan 2023 06:51:52 -0000

On Fri, Jan 27, 2023 at 08:43:51PM -0500, Simo Sorce wrote:
> *However* the main issue that plagues HTTP(s) when it comes to
> authentication is the requirement to re-authenticate each request
> because clients tend to create a new connection every time they want to
> make a new request.

The answer to this is always cookies.  And with H2 the cookie only
really has to go over the wire once (in each direction).

> I would like to see a standardized mechanism to return a bearer token
> (aka session cookie) that allows the client to retain (if they want) an
> authorization token to be used in following requests.
> 
> The last thing we need is for people to invent their own caching
> mechanisms to prevent browsers or other client from constantly
> prompting for credentials on naive configurations.

There must be generic cookie construction schemes out there.  It'd be
nice to have a standard, but obviously much cookie contents beyond
obvious things like expiration times is going to all be application-
specific.

This is all mostly a solved problem in frameworks and libraries.  It's
not a pressing problem.  I wouldn't hold up any other auth work over it.

> The mechanism to deal with "sessions" should be built-in, not an
> exercise left to the reader.

"But HTTP is stateless!"  HTTP does have state and sessions: via
cookies.  And H2 adds header compression which essentially makes HTTP
much more "aware of connections" than H1, but the semantics don't
change, and it's still all about keeping state via cookies.  There's no
changing this.

Nico
--

v2.23.0 | Report a Bug | By Email