Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list
Russ Allbery <eagle@eyrie.org> Sun, 29 January 2023 00:20 UTC
Return-Path: <eagle@eyrie.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9144BC14CF1C for <kitten@ietfa.amsl.com>; Sat, 28 Jan 2023 16:20:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.196
X-Spam-Level:
X-Spam-Status: No, score=-4.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id onm0VlaAYlMU for <kitten@ietfa.amsl.com>; Sat, 28 Jan 2023 16:20:46 -0800 (PST)
Received: from haven.eyrie.org (haven.eyrie.org [IPv6:2001:470:30:84:e276:63ff:fe62:3539]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF853C14CF1B for <kitten@ietf.org>; Sat, 28 Jan 2023 16:20:46 -0800 (PST)
Received: from lothlorien.eyrie.org (96-90-234-101-static.hfc.comcastbusiness.net [96.90.234.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by haven.eyrie.org (Postfix) with ESMTPS id 38A4811835C for <kitten@ietf.org>; Sat, 28 Jan 2023 16:20:44 -0800 (PST)
Received: by lothlorien.eyrie.org (Postfix, from userid 1000) id 27C85B410C3; Sat, 28 Jan 2023 16:20:42 -0800 (PST)
From: Russ Allbery <eagle@eyrie.org>
To: kitten@ietf.org
In-Reply-To: <87a622tdd1.fsf@hope.eyrie.org> (Russ Allbery's message of "Sat, 28 Jan 2023 16:04:42 -0800")
Organization: The Eyrie
References: <20230127160101.GB635@openfortress.nl> <048e6943f02302bb5cf7b8c55521931ce3748d30.camel@redhat.com> <20230128215854.629841D6333@pb-smtp20.pobox.com> <87a622tdd1.fsf@hope.eyrie.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
Date: Sat, 28 Jan 2023 16:20:42 -0800
Message-ID: <875ycqtcmd.fsf@hope.eyrie.org>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/pa5zJ73I8UthSAINPOoP_YZ7dxg>
Subject: Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jan 2023 00:20:50 -0000
Russ Allbery <eagle@eyrie.org> writes: > I was curious after reading the initial message how this new proposal > planned to deal with the multi-step authentication negotiation process > in HTTP. Maybe that's being discussed on the other list? I've now looked at the spec, and it looks like this is being handled with 401 or 407 responses plus embedding the server state in the response and expecting the client to reflect it on subsequent requests. I think this would work theoretically (at least I don't see why it wouldn't), but I'm very curious about how widely this has been tested in HTTP scenarios involving round-robin load-balancing. Making the client replay the state provides enough of a theoretical hook to allow moving an in-progress authentication session from one backend server to another, but has this been done in practice with Cyrus SASL and similar SASL libraries? My first reaction is that this is asking a lot of the SASL library on the server side to be able to reconstitute and continue a halfway-constructed SASL session that was negotiated by a different server, but maybe that first reaction is erroneous. -- Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
- [kitten] Stating support for HTTP-SASL on the HTT… Rick van Rein
- Re: [kitten] Stating support for HTTP-SASL on the… stef
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Simo Sorce
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Ken Hornstein
- Re: [kitten] Stating support for HTTP-SASL on the… Russ Allbery
- Re: [kitten] Stating support for HTTP-SASL on the… Russ Allbery
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Rick van Rein
- Re: [kitten] Stating support for HTTP-SASL on the… Rick van Rein
- Re: [kitten] Stating support for HTTP-SASL on the… Rick van Rein
- Re: [kitten] Stating support for HTTP-SASL on the… Rick van Rein
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Simo Sorce
- Re: [kitten] Stating support for HTTP-SASL on the… Russ Allbery
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams
- Re: [kitten] Stating support for HTTP-SASL on the… Ken Hornstein
- Re: [kitten] Stating support for HTTP-SASL on the… Nico Williams