Re: [secdir] proxies and forwarding of credentials, was: SECDIR review of draft-ietf-httpbis-p7-auth-24

Stephen Kent <kent@bbn.com> Fri, 01 November 2013 13:55 UTC

Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F8DC11E8397 for <secdir@ietfa.amsl.com>; Fri, 1 Nov 2013 06:55:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.445
X-Spam-Level:
X-Spam-Status: No, score=-106.445 tagged_above=-999 required=5 tests=[AWL=0.154, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uOxV7CLk70ym for <secdir@ietfa.amsl.com>; Fri, 1 Nov 2013 06:55:27 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id A163A11E83AC for <secdir@ietf.org>; Fri, 1 Nov 2013 06:54:43 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:52722 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1VcFB2-000LY5-3q; Fri, 01 Nov 2013 09:54:16 -0400
Message-ID: <5273B287.7010205@bbn.com>
Date: Fri, 01 Nov 2013 09:54:15 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Mark Nottingham <mnot@mnot.net>
References: <52700DE4.8020208@bbn.com> <52725E8E.50106@greenbytes.de> <5272B71B.1070607@bbn.com> <679A359D-AB27-4DA7-AAD0-59290DA1DF23@mnot.net>
In-Reply-To: <679A359D-AB27-4DA7-AAD0-59290DA1DF23@mnot.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Cc: secdir <secdir@ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, "Julian F. Reschke" <julian.reschke@greenbytes.de>, Mark Nottingham <mnot@pobox.com>, "Mankin, Allison" <amankin@verisign.com>, HTTP Working Group <ietf-http-wg@w3.org>, Barry Leiba <barryleiba@computer.org>, Roy Fielding <fielding@gbiv.com>
Subject: Re: [secdir] proxies and forwarding of credentials, was: SECDIR review of draft-ietf-httpbis-p7-auth-24
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2013 13:55:33 -0000

Mark,

> It entirely depends upon the way that they’re cooperating… sometimes you’d want to forward them, sometimes not. If we were defining a proxy authentication cooperation protocol here, I could understand a MUST here, but as we’re not, I don’t think we want to constrain how one might operate…
>
OK. Just make sure the text doesn't appear to give contradictory 
messages wrt this topic.
The description of what a proxy relay does, or does not, do needs to be 
a bit clearer, so
that the MAY seems appropriate.
Steve