IETF Logo Mail Archive

Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list

Ken Hornstein <kenh@pobox.com> Wed, 08 February 2023 01:50 UTC

Return-Path: <kenh@pobox.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EA79C14CE2D for <kitten@ietfa.amsl.com>; Tue, 7 Feb 2023 17:50:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pobox.com header.b="2g8UseU4"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="bhoXfn2F"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rf8KHub5zCsO for <kitten@ietfa.amsl.com>; Tue, 7 Feb 2023 17:50:21 -0800 (PST)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C047C14CE29 for <kitten@ietf.org>; Tue, 7 Feb 2023 17:50:21 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 1646B32004ED for <kitten@ietf.org>; Tue, 7 Feb 2023 20:50:20 -0500 (EST)
Received: from imap44 ([10.202.2.94]) by compute6.internal (MEProxy); Tue, 07 Feb 2023 20:50:20 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pobox.com; h=cc :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm2; t=1675821019; x=1675907419; bh=0sV6X47f/1 AN4Dn4AT7FDejtEKssTK9jrKbgi+ghizI=; b=2g8UseU4l5q9klgEICKi9br77H 3rQkbzsVZcSPRDqFxgvs/KTKIQW6h9BOTMtDFCm4S7lpO5ODfvdliyLjcLLcO/5j 4idZgFUfnLTJN0k4Sx2FsBZQV+O7CXac4LOUEiM7aB2kJX5j3KYGx1T0XtXROIMn yRkBhYU645a1ouArYcaoEWVBWSmP3GDApB2D1l74jqSGluus6w32A7Xlg3mS4skx womTsJ/peg7+kG/u/L3CHAE9pljiaR516Fquxg2uPkR2JMgY7Go/mPBO0q8/DdWU S0ImPRrjn3i0nn1C/Xjdei+5RumWmagqnvlDYgorIAV3ILk7+KEKfTvneZbQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1675821019; x=1675907419; bh=0sV6X47f/1AN4Dn4AT7FDejtEKss TK9jrKbgi+ghizI=; b=bhoXfn2FmN4IE5B04Ml06BfCtP2HwaQh5MjNVCcDFfmp oLupoXKVvQjTPjFuiGetrcZaKk12vOffXNYUoBj25V/H/1Tk9JbVINiEzIcOC2Q9 mf5APN3b1dBlb20VZJB+TXwm1bNonIgQDtNaVrzW6CR0Bg4lkpuKRPBhplL8tCuO E5hyYwVuuDvwJVXCUD0d0NZ6Qx+7zqDruGJW3csx3Xiny9JVRBR2TDzfJm0BmTQE 2dZAcIcjRyA09GCYDkGwjT9rDpiRFqFGoiVnlHyvQAOS6fatJJGELBYGGcKnyLut K5ZEnxg3ozqcJCBgagrMRZhLFoiSj7UCQMb7CRo36g==
X-ME-Sender: <xms:2__iY2t0s0k6FHrZcKpp6hJCXk4K4SEOatRaJ3FX51OQc2ZpXvT51g> <xme:2__iY7fPmgBX2ru2eLPcS-62GVgy0LehUh2qoccPf15wV1yhT-9xVX10Yn1gJRlqG x1RVjwLcWw_LpXJtuQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrudegledgfeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsegrtd erreerredtnecuhfhrohhmpedfmfgvnhcujfhorhhnshhtvghinhdfuceokhgvnhhhsehp ohgsohigrdgtohhmqeenucggtffrrghtthgvrhhnpefgudeggefgfedvveejueeukeelte ejtedtfedthfefiedtffeukefgkefgvddtueenucffohhmrghinhephhhtthhpuhhsvghr qdgrghgvnhhtlhgrhigvrhdrhihouhenucevlhhushhtvghrufhiiigvpedtnecurfgrrh grmhepmhgrihhlfhhrohhmpehkvghnhhesphhosghogidrtghomh
X-ME-Proxy: <xmx:2__iYxwznX5F3KxTJA5Fas1p1JxDcz0z9cZJh2voAV8XuepDCSPuyQ> <xmx:2__iYxNXjc8GV_mXnrWR0zSW8qxH-9Ywzhapy5SMtF8s74l0T6VttA> <xmx:2__iY2_pMFdxf2s80mP76ACfzT6GpaV15B7jVqVaJyzQMrTXvhgLUw> <xmx:2__iY5LhN8oQvYtZMMQcAP55vvgeD4VBSYxv1_a83WXMsTxrwsmROg>
Feedback-ID: iafe14458:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 72C1E36A0073; Tue, 7 Feb 2023 20:50:19 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-156-g081acc5ed5-fm-20230206.001-g081acc5e
Mime-Version: 1.0
Message-Id: <60a48e1d-b0a1-44ad-9316-4d2982912553@app.fastmail.com>
In-Reply-To: <Y+J9Gj4rrZnbqHs5@gmail.com>
References: <20230127160101.GB635@openfortress.nl> <Y9QOTlS5Pmv47brx@gmail.com> <20230207102348.GA30583@openfortress.nl> <Y+J9Gj4rrZnbqHs5@gmail.com>
Date: Tue, 07 Feb 2023 20:49:59 -0500
From: Ken Hornstein <kenh@pobox.com>
To: kitten@ietf.org
Content-Type: multipart/alternative; boundary="127b09bce0454573a3a5c94ed2a0313b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/VyekxEtiuTBagYRR1nF-Jbsosgo>
Subject: Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2023 01:50:26 -0000

On Tue, Feb 7, 2023, at 11:32 AM, Nico Williams wrote:
> And here we have the motivation for advertising SASL mechanisms
> together: that SASL APIs generally have a function the implements
> mechanism selection given the set of mechanisms advertised by the
> server, and not using those APIs means replicating the mechanism
> selection complexity at the HTTP user-agent layer.

You know, I've thought a fair amount about this and I've never really been convinced that having the API pick the "best" mechanism out of a list is a good idea in the general case.

First, in my experience it's easy to get this wrong. I've seen a bunch of cases where the "best" mechanism ends up being the wrong one chosen for a particular user. This can happen if (for example) your server advertises that it supports a mechanism like GSSAPI but not all of your users are using that mechanism. The aforementioned SASL APIs generally don't have the ability to determine if you can actually use a particular mechanism until the authentication sequence starts, and by then it's effectively too late.

Secondly, automatic negotiation tends to "flatten" error reporting. In theory this shouldn't be a problem, but from what I've seen more mass market applications tend to want to have relatively simple error reporting and they don't give you the "real" errors; it's something vague like "The password was rejected" because that's the problem 90% of the time, but not always.  And that doesn't really tell you WHICH mechanism it tried.

Thirdly, it never seemed to be a good idea to me to automatically pick a security mechanism; it seems like what you really want is to specify it explicitly. Most of the SASL security mechanisms have very different properties and they're not interchangeable. I realize that's not true for all of them and some would be an upgrade from older mechanisms, but it's not true in the general case. The better applications I've seen that support SASL require you to explicitly pick the mechanism you expect to be using. I realize that is not the norm in the HTTP world today, but that seems to me to be because there is mostly ONE authentication mechanism (basic) in use today. I could see a case where a HTTP user-agent tries a bunch of mechanisms and the first one that succeeds it remembers and picks that one the next time.

This is kind of rambling, and getting back to your original point advertising SASL mechanisms together is probably still worthwhile.

--Ken

v2.23.0 | Report a Bug | By Email