IETF Logo Mail Archive

Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list

Nico Williams <nico@cryptonector.com> Tue, 07 February 2023 19:50 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44007C1526E9 for <kitten@ietfa.amsl.com>; Tue, 7 Feb 2023 11:50:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AVj0mZEzVA-v for <kitten@ietfa.amsl.com>; Tue, 7 Feb 2023 11:50:29 -0800 (PST)
Received: from toucan.tulip.relay.mailchannels.net (toucan.tulip.relay.mailchannels.net [23.83.218.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9E7FC1522AA for <kitten@ietf.org>; Tue, 7 Feb 2023 11:50:28 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 7E7271420E9; Tue, 7 Feb 2023 19:50:24 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 1127E141BA5; Tue, 7 Feb 2023 19:50:24 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1675799424; a=rsa-sha256; cv=none; b=NM/CoZWrg1QWWhos/GwxLTyaxg28VuuvTaQxjEY2eAoowZoTVGrUiVCNJgfykYa4QCqNuw ZF51kgzA0WqV5yvlDu2u227YoNpqMAqBhWKkreZU13aCpnlDxr/5nAmTGD2p3xtYYXh8Mw Q7zfXr91j8xnC5rTpEVFaO0C/e5qANdceDKitUbCsqCZmkN0EZdhigUXHmv5Ii+1NUBYbq IQ1dDJii5Lf4yFxOvH9jjvcCYM8zwBG37e+qxDopntBslaetLGUdB6n2C+sUPAJKQ4Ghkd ti+Q8eYHRRL4qBxVXOUVp3vt6s7CZd0FzA5D4oZoLTRJ57tG3vlpvZHdrgCROw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1675799424; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=eOO8jPhCTS3q3hVjbC7eU7b7j3BhZQwMyB4A1xSYJtI=; b=7mbrJVysQfErhqvzNJbkO0ADIfyTxcJr4GH0URD778Y77LZIpVEg7nC7zTiXpMM8rw/LPZ 5PeEj8bihPVh40NpKa7RJetTl5bvOhJU7Q+gKWnrWU2r6DArhtDVyPoWXL3VRhLfGZGqcv 3R7k8wxTCXi+A2ZfnPnIFxWB4uIjN0HU+NaqyI2ViRWVw6nF0zDDWVxICiO0oXGHLfGi3A npZffhWoMb00qWsa4vg0hWlOi3ecWEjpp4R3mSdF5tUk3e/qkkkFjyEVBE8U+gW/cy4MoP xpsBEHZ3k8ZPhkY2tqG20RTyeGCX7/Bbc1zHG1yzF0BbG68bByD0kBgP+Wd5KQ==
ARC-Authentication-Results: i=1; rspamd-8d84bcd9f-kzrx8; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Scare-Stretch: 6f6265de227d09e2_1675799424305_3951758160
X-MC-Loop-Signature: 1675799424305:1742613841
X-MC-Ingress-Time: 1675799424304
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.120.227.134 (trex/6.7.1); Tue, 07 Feb 2023 19:50:24 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PBDHz4CkWz54; Tue, 7 Feb 2023 11:50:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1675799423; bh=eOO8jPhCTS3q3hVjbC7eU7b7j3BhZQwMyB4A1xSYJtI=; h=Date:From:To:Subject:Content-Type; b=TmQRw5ldDiT9kc+2f1tL2Nhtt9wj46khydkyeIJRirS1/tahnlEhxXabdelIjaMvq 44sUaOsLt8rtuSu7zkYYQ4n9jSqbsT8it0riZ6bWOwJa+vbYE8/X24woABu3QEDmLb jXr4bEqHo4FuXu579gC3QovkeVR1wLkkBdwE0vQUlDZ1d8Ul8zu9RJy27R6C7l69DO 2WNjM7U0b/e5IdGW89BcYqonnJYZWx8fxN+dhiIhrz8e8heN9u2pfKrzlrLGzkbTom s5PNsmvwxqDZAQpvFJspIGkVQRPrRG+UWqrzH0JMILcy/Z5AEe6wtYZEWfWiXy961X woY2EgTUGqjKw==
Date: Tue, 07 Feb 2023 13:50:18 -0600
From: Nico Williams <nico@cryptonector.com>
To: kitten@ietf.org
Message-ID: <Y+Kreuw/iH3Jkcan@gmail.com>
References: <20230127160101.GB635@openfortress.nl> <Y9QOTlS5Pmv47brx@gmail.com> <Y9QRD8iRrpOqATqZ@gmail.com> <20230207103043.GC30583@openfortress.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20230207103043.GC30583@openfortress.nl>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/aaDOFj-djc6yAIY7YjIM2Xp0M3A>
Subject: Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2023 19:50:34 -0000

On Tue, Feb 07, 2023 at 10:30:43AM +0000, Rick van Rein wrote:
> > I suppose there's two ways to do this, either:
> > 
> >  - include the SASL mechanism name registry as-is in the HTTP
> >    authentication scheme registry
> > 
> >  - same but with a prefix (e.g., "SASL-") such that IANA need only
> >    reserve the prefix in the HTTP authentication scheme registry.
> 
> There would still be a need to map the SASL-* names to HTTP, which
> could be done as my draft suggests.  Yes, that'd be a design alternative.

There would be one generic mapping of SASL semantics onto HTTP
authentication scheme semantics, and every SASL mechanism `X` that is
usable in HTTP would have an HTTP authentication scheme name of
`SASL-X`.

I believe the mapping of SASL semantics onto HTTP authentication scheme
semantics is straightforward.  The only interesting impedance mismatch
being related to multiple round trips, but Negotiate already deals with
that.

> I don't think this solves a problem, but it surely is another way of
> doing this.

There probably exist HTTP user-agent implementations for which this way
will make implementation easier, while I can't imagine how the other way
does the same.

BTW, arguably HTTP authentication schemes map onto SASL easily enough
too.  So perhaps one could "unify" the two things.  I.e., if you get a
401 advertising SCRAM but also SASL-SCRAM, they're one and the same.
This would simplify mechanism selection by allowing a SASL library to
provide a mechanism selection function that accepts SASL mechanisms but
also HTTP authentication schemes too.

Nico
--

v2.23.0 | Report a Bug | By Email