IETF Logo Mail Archive

Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list

Nico Williams <nico@cryptonector.com> Sun, 29 January 2023 04:31 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5AD2C14CE40 for <kitten@ietfa.amsl.com>; Sat, 28 Jan 2023 20:31:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E5t8MndXXCqW for <kitten@ietfa.amsl.com>; Sat, 28 Jan 2023 20:31:40 -0800 (PST)
Received: from cyan.elm.relay.mailchannels.net (cyan.elm.relay.mailchannels.net [23.83.212.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32111C14F730 for <kitten@ietf.org>; Sat, 28 Jan 2023 20:31:40 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 8700D41669; Sun, 29 Jan 2023 04:31:39 +0000 (UTC)
Received: from pdx1-sub0-mail-a234.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 4891F414D9; Sun, 29 Jan 2023 04:31:38 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1674966698; a=rsa-sha256; cv=none; b=CHxwSJFazs1X7+VzVvvwFacfRPun/SR4LxFd8wolPT/eetX1BsRRpwYta5/85aSSN9lswq fo0DyxLcQqr/r2k3ciUXgWSxeQTbjMGxc89Cj8bKcG78gYIQGKNVxdEnnRxgbUICet75V0 Vtp3J6alhTsLifUHqhwBphw8XlrCtMi2CaT3iYHKt9WL8DKINk4XVWRqpHcQ6OwI5+UZA2 u7OyAAOs0V6LYI7HSdsQgkXzzwlKG5Ks1rTlZ3yiC5wjDXmo5IVRaP1Ch2OCu6l+aG5Xja +lw1Yk2WFoae6fEe1lhPmsY2gcc73Q6pNNmLMNw299FQkmR2oPMqr1Ias1U/kA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1674966698; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=8LPzfpg41nczQ/qNzHMXOsAby+CuRp81HuT6sB6MDv4=; b=V73pbzzpVr6GgI9u18n8Xy7huaZ3fcHDWFNt9QAN+1HzSGhlSADMld7sWfnABHJbj3Soq0 nI5FvCWMlkTgHhkHbyVXGq5i4muJTnPSsyQZNiA3L2X5XdTjywE7ejI0zcazMYrbvv3SIe RpKtQnsB5jan1Mjc76EcaFxNRR8dQK3pfnJW3Mi5GwwCD2W7VdagGTTDre19kFqNhpd7n7 5QaP4QlosjnnT2lQMZmN13CfiuFZ7YOSBfev2AaFNsIoMzDyn4sT1tLQxHKr33IaxKv2rc U8WxXyFFGz7voTXvk/uMQf0cS7vrCtY4IGUD0pV3FNe1hvjw2IeW5DHov2pXJQ==
ARC-Authentication-Results: i=1; rspamd-5fb8f68d88-lpb2v; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Fumbling-Interest: 785644b7779f7f18_1674966699366_344771220
X-MC-Loop-Signature: 1674966699366:2638810860
X-MC-Ingress-Time: 1674966699366
Received: from pdx1-sub0-mail-a234.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.99.229.7 (trex/6.7.1); Sun, 29 Jan 2023 04:31:39 +0000
Received: from gmail.com (cpe-66-25-27-1.tx.res.rr.com [66.25.27.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a234.dreamhost.com (Postfix) with ESMTPSA id 4P4JL15JnMzC2; Sat, 28 Jan 2023 20:31:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1674966698; bh=8LPzfpg41nczQ/qNzHMXOsAby+CuRp81HuT6sB6MDv4=; h=Date:From:To:Cc:Subject:Content-Type; b=B1Z6G8yMuwFhN/qbWbVq4HC/z/7HvdfUPHFG1yA91te8knNEghXH/7xcI20o3T9rj +q0KDQ8Ld7Pt/7whBnQesw1vwN4oKeSobEReWswrG7ZCJQNGMhFSx93g6TuBN7Qu1F 3xBVR0mt5ndEeH7jaQ3Bg5OQIYr8HCvS5RAIGSzmBqUjepMI62mVJ22CxoXXJ7enab 6tUc0XUCH0vh/ay/33c1BVdCShjSwUie3xkE3q5+0gqa7S4Y4gTYGTRocrHqVX8GU5 9XapbfKjITIU9Qn00Jdp1QH8DhFDbFCZYN2ypUpCjfnFTWeDS3kN/SOOm5cmqSzeeK UicD7pGtnpbeQ==
Date: Sat, 28 Jan 2023 22:31:35 -0600
From: Nico Williams <nico@cryptonector.com>
To: Russ Allbery <eagle@eyrie.org>
Cc: kitten@ietf.org
Message-ID: <Y9X2p8kX2mjMQR5l@gmail.com>
References: <20230127160101.GB635@openfortress.nl> <048e6943f02302bb5cf7b8c55521931ce3748d30.camel@redhat.com> <20230128215854.629841D6333@pb-smtp20.pobox.com> <87a622tdd1.fsf@hope.eyrie.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <87a622tdd1.fsf@hope.eyrie.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/fg3zJo9t43wCT7UDhDQ6ONV8b1E>
Subject: Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jan 2023 04:31:45 -0000

On Sat, Jan 28, 2023 at 04:04:42PM -0800, Russ Allbery wrote:
> Ken Hornstein <kenh@pobox.com> writes:
> > I am DEFINITELY not the expert here, but in my limited experience in this
> > area it seems like OIDC is being used for this purpose more and more.
> 
> One of the advantages of OpenID Connect is that it allows for multi-step
> authentication processes (choosing from multiple possible authentication
> identities, having to provide multiple authenticators, mutual
> authentication if one wants more than just TLS cert checking).  SASL also
> supports multi-step authentication, but HTTP Authorization headers don't
> really, which has plagued SASL-style authentication mechanisms for HTTP
> for many years.

An HTTP authentication scheme's WWW-Authenticate: certainly could carry
an encrypted state cookie, and it could have that state returned in
Authorization: headers.  Or it could specify new headers, naturally,
though I think it would be better to just use the WWW-Authenticate: and
Authorization: headers because that will be better supported by, e.g.,
filtering MITM proxies and the like.

Nico
--

v2.23.0 | Report a Bug | By Email