Re: [Secdispatch] I-D on dealing with the 3xx XOR 401 problem

Nico Williams <nico@cryptonector.com> Tue, 31 March 2020 22:29 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76C503A0BDB for <secdispatch@ietfa.amsl.com>; Tue, 31 Mar 2020 15:29:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3HwRgEtbUcK for <secdispatch@ietfa.amsl.com>; Tue, 31 Mar 2020 15:29:17 -0700 (PDT)
Received: from buffalo.birch.relay.mailchannels.net (buffalo.birch.relay.mailchannels.net [23.83.209.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C05583A0BD9 for <secdispatch@ietf.org>; Tue, 31 Mar 2020 15:29:17 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id D1AD420E27; Tue, 31 Mar 2020 22:29:16 +0000 (UTC)
Received: from pdx1-sub0-mail-a83.g.dreamhost.com (100-96-44-34.trex.outbound.svc.cluster.local [100.96.44.34]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 5FA2320BD2; Tue, 31 Mar 2020 22:29:16 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a83.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.6); Tue, 31 Mar 2020 22:29:16 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Slimy-Daffy: 314eb42b3a3fec66_1585693756637_2551645543
X-MC-Loop-Signature: 1585693756637:630118915
X-MC-Ingress-Time: 1585693756636
Received: from pdx1-sub0-mail-a83.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a83.g.dreamhost.com (Postfix) with ESMTP id 1C765B0CFA; Tue, 31 Mar 2020 15:29:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=gyyv1+pgqMrube EJO5roYp9KgOs=; b=kkuR1la7Y/P6OBpb0yLEjd+L3r8A/ShUAWJ/itICIV5U7D 7jkoF3u4pgH8mTYTDxvNAlxj+FInYlAHQPXp+XJb0GpeZIvhaBD5/16XdKw6TnBc kAwU9EuVMOe09341zytPeRY/vosJL3J/ooaTZhE+CvEeXnTxQt8hPJOt0r2To=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a83.g.dreamhost.com (Postfix) with ESMTPSA id BAD4BB0D13; Tue, 31 Mar 2020 15:29:14 -0700 (PDT)
Date: Tue, 31 Mar 2020 17:29:12 -0500
X-DH-BACKEND: pdx1-sub0-mail-a83
From: Nico Williams <nico@cryptonector.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: ietf-http-wg@w3.org, secdispatch@ietf.org
Message-ID: <20200331222910.GV18021@localhost>
References: <20200329043333.GO18021@localhost> <20200331020629.GD50174@kduck.mit.edu> <20200331045953.GP18021@localhost> <20200331055054.GQ18021@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200331055054.GQ18021@localhost>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduhedrtddtgddufeelucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucfkphepvdegrddvkedruddtkedrudekfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhm
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/FKS2Xb0g5gAYSBWbKetNPJYnUX8>
Subject: Re: [Secdispatch] I-D on dealing with the 3xx XOR 401 problem
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2020 22:29:19 -0000

I've submitted a -01 with these changes:

 - better documented the motivation for the new Accept headers (improved
   interop without having to modify HTTP implementations, just
   applications)

 - removed special values of Accept-Auth

 - added Accept-Redirect and Accept-Redirect-Auth headers

 - for the Redirect auth scheme, limit preservation of the Authorization
   header and add an Authorization-Request header that is always
   preserved

 - expanded discussion of redirect-based auth protocols

 - improved Security and IANA Considerations text

 - misc changes

The new Accept headers and the new auth scheme are now much more
separable.  This I-D could now be split into two I-Ds.

Nico
--