IETF Logo Mail Archive

Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list

Simo Sorce <simo@redhat.com> Sat, 28 January 2023 01:43 UTC

Return-Path: <simo@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF518C14CF0D for <kitten@ietfa.amsl.com>; Fri, 27 Jan 2023 17:43:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dRKuNh9r0IBX for <kitten@ietfa.amsl.com>; Fri, 27 Jan 2023 17:43:55 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A37DC14F747 for <kitten@ietf.org>; Fri, 27 Jan 2023 17:43:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1674870234; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=I+BSCSpuFcDLVyQdhgcZYUsURYSMEVV5DVqfhUzeK1A=; b=hp3H0eelX45CMFZQh7DNfKEqfx5s1DWW/xkYbX0iEpQzCER8l5tZKGLlarbUIZCsf/s0Do iURjp0LGipt4/N+e6X9HOYbkhEDT8oOzRx9j6+HNBrUxu7iWFoZWqnJBICxotjCZDxkSTD LZO26+9YlfZt4WW/ZhkZn7DakY9NhuQ=
Received: from mail-qk1-f200.google.com (mail-qk1-f200.google.com [209.85.222.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-206-09LJ48HpMACVVg50Kw5pGA-1; Fri, 27 Jan 2023 20:43:52 -0500
X-MC-Unique: 09LJ48HpMACVVg50Kw5pGA-1
Received: by mail-qk1-f200.google.com with SMTP id u11-20020a05620a430b00b007052a66d201so4033523qko.23 for <kitten@ietf.org>; Fri, 27 Jan 2023 17:43:52 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:user-agent:content-transfer-encoding:organization :references:in-reply-to:date:to:from:subject:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=I+BSCSpuFcDLVyQdhgcZYUsURYSMEVV5DVqfhUzeK1A=; b=Fb39eA8R/xLO48nVqyo4+77NRGX+c0JEOYIMrNsLnHgR0aZape+MhaxWKOrTrjK3Xr OXf/C/GsRhNQROmREiakwqXPAkt4PoKVTpqm+iXqgOEd5Oy4EFDH5fKDWxJFQgUSXsEc tbnYLyoj3uvUqDW4lHgF5KLsoP7xrp/CD2K5gZRmpM0golbc6zER8uEzFs9/WJsvvj6A FrXCisVpHfH+piEvfL1+Mv6Ipfud7WxerKt4Epn9sR7b6s74JNk4/oKkGmEeARSqIcYE h/+TQHZ4l9601SUV+UUXahujrtfHfIhehnZt1XwLZzKRFvPthIUawCwEcG2Uia8+D/U2 tM+A==
X-Gm-Message-State: AFqh2krNNU4tHcO2gJ5GxHvlp7vNu+vVTC47g97ncXN0DWu5mZjdFrPD 1MwVFQdWPm/wk7H8wcNIli7Vvu5AemzbukhtZRNx0wZMtENfRUno4bCNlWfgatY71W8OMDYNPan Oi2wyUC4=
X-Received: by 2002:ac8:5247:0:b0:3b5:fc05:86d3 with SMTP id y7-20020ac85247000000b003b5fc0586d3mr56770853qtn.68.1674870232295; Fri, 27 Jan 2023 17:43:52 -0800 (PST)
X-Google-Smtp-Source: AMrXdXtjVuvdZ1t8tczqFGGQrcROmHcKdA5hp5FJbiLun5bns5x3ZXFgAPbpWw56WBIfVHdntk3Auw==
X-Received: by 2002:ac8:5247:0:b0:3b5:fc05:86d3 with SMTP id y7-20020ac85247000000b003b5fc0586d3mr56770843qtn.68.1674870232019; Fri, 27 Jan 2023 17:43:52 -0800 (PST)
Received: from 2603-7000-9400-fe80-0000-0000-0000-0318.res6.spectrum.com (2603-7000-9400-fe80-0000-0000-0000-0318.res6.spectrum.com. [2603:7000:9400:fe80::318]) by smtp.gmail.com with ESMTPSA id q26-20020ac8411a000000b003b34650039bsm3776675qtl.76.2023.01.27.17.43.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 27 Jan 2023 17:43:51 -0800 (PST)
Message-ID: <048e6943f02302bb5cf7b8c55521931ce3748d30.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Rick van Rein <rick@openfortress.nl>, kitten@ietf.org
Date: Fri, 27 Jan 2023 20:43:51 -0500
In-Reply-To: <20230127160101.GB635@openfortress.nl>
References: <20230127160101.GB635@openfortress.nl>
Organization: Red Hat
User-Agent: Evolution 3.46.3 (3.46.3-1.fc37)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/T0uP11GQFetTCuKtbIJe2vDZWoI>
Subject: Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jan 2023 01:43:58 -0000

On Fri, 2023-01-27 at 16:01 +0000, Rick van Rein wrote:
> Hi,
> 
> The HTTP WG is considering our embedding of SASL in HTTP.  I need
> IETF consensus to be permitted to say "Authorization: SASL", so
> to claim the "SASL" name.
> 
> They want to see some list traffic, to get an idea of interest in
> this mechanism.  If you have any such feelings, please tell them,
> because silence in the busy HTTP WG may cause it to be dropped.
> 
> While we implemented for Apache, Nginx and FireFox, I think this
> opens excellent opportunities for RESTful and other HTTP protocols.
> Would be useful to see those popup on that list.

I think allowing something like SASL in HTTP would finally liberate it
from the old Basic (or worse, digtest-md5) schemes with an elegant way
to "defer to a specialized framework", so I support this in principle.

*However* the main issue that plagues HTTP(s) when it comes to
authentication is the requirement to re-authenticate each request
because clients tend to create a new connection every time they want to
make a new request.

I would like to see a standardized mechanism to return a bearer token
(aka session cookie) that allows the client to retain (if they want) an
authorization token to be used in following requests.

The last thing we need is for people to invent their own caching
mechanisms to prevent browsers or other client from constantly
prompting for credentials on naive configurations.
The mechanism to deal with "sessions" should be built-in, not an
exercise left to the reader.

Simo.

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc

v2.23.0 | Report a Bug | By Email