IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Juliusz Chroboczek <jch@irif.fr> Mon, 13 September 2021 16:14 UTC

Return-Path: <jch@irif.fr>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B12833A07BA for <wish@ietfa.amsl.com>; Mon, 13 Sep 2021 09:14:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AtlZ3IuV91D0 for <wish@ietfa.amsl.com>; Mon, 13 Sep 2021 09:14:36 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9FD63A07D2 for <wish@ietf.org>; Mon, 13 Sep 2021 09:14:35 -0700 (PDT)
Received: from potemkin.univ-paris7.fr (potemkin.univ-paris7.fr [IPv6:2001:660:3301:8000::1:1]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 18DGEU6n030798 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 13 Sep 2021 18:14:31 +0200
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by potemkin.univ-paris7.fr (8.14.4/8.14.4/relay2/82085) with ESMTP id 18DGEUIT021672; Mon, 13 Sep 2021 18:14:30 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 7D5BCE6D61; Mon, 13 Sep 2021 18:14:35 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id ollIqnGH3CKd; Mon, 13 Sep 2021 18:14:33 +0200 (CEST)
Received: from lanthane.irif.fr (unknown [172.23.36.89]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 9F96DE6D5C; Mon, 13 Sep 2021 18:14:33 +0200 (CEST)
Date: Mon, 13 Sep 2021 18:14:28 +0200
Message-ID: <87ee9sfo63.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Adam Roach <adam@nostrum.com>
Cc: Matt Ward <mattward@mux.com>, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, WISH List <wish@ietf.org>
In-Reply-To: <66b34dab-7a67-656e-d619-c5109ca99bbb@nostrum.com>
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <87o893vuz4.wl-jch@irif.fr> <CA+ag07Y41bg_K-60=d5yyODj+bN442enQn-Grb-NkX7zQ8vVBQ@mail.gmail.com> <1e55c847-6a6c-5fca-d7c0-cd3a822855a7@nostrum.com> <CA+ag07YZdQooVBLtn=R=Lj0XpojCmVzd51P6=ExFUqwhvqYNdA@mail.gmail.com> <28d39165-3d08-257e-4736-1c8449e99034@nostrum.com> <CAABnt0NxfyTBQmGkh3gU69bf0zDok_pm5+Lun62EABha0gEATQ@mail.gmail.com> <66b34dab-7a67-656e-d619-c5109ca99bbb@nostrum.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.1 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]); Mon, 13 Sep 2021 18:14:31 +0200 (CEST)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (potemkin.univ-paris7.fr [194.254.61.141]); Mon, 13 Sep 2021 18:14:30 +0200 (CEST)
X-Miltered: at korolev with ID 613F78E6.003 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-Miltered: at potemkin with ID 613F78E6.001 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 613F78E6.003 from potemkin.univ-paris7.fr/potemkin.univ-paris7.fr/null/potemkin.univ-paris7.fr/<jch@irif.fr>
X-j-chkmail-Enveloppe: 613F78E6.001 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 613F78E6.003 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Score: MSGID : 613F78E6.001 on potemkin.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/VLXckxZaLdydoB0cCSPbOPuzA3o>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2021 16:14:48 -0000

> I understand the motivation, but this doesn't get us to
> interoperability. We need a baseline, mandatory-to-implement
> authentication method for both client and server; otherwise, we'll end up
> in a situation where your client implements mechanism A, my network
> implements mechanism B, and your users can't use my network.

Yes, and that is why I suggested HTTP Basic instead of bearer token.

Most servers today implement authentication using a username/password
pair.  While this is certainly not the most secure solution, it is well
understood by users, and is therefore likely to remain the main mode of
authentication for the foreseeable future.

With HTTP Basic, it is perfectly clear how to map a username/password pair
to the protocol.  With bearer token, the client and the server need to
both agree on how to map the username/password pair to a token, and
I expect different implementations to use different mappings, with all the
fun that this entails.

So I suggest that for clients:

  - support for unauthenticated WISH over HTTPS is MUST;
  - support for HTTP Basic over HTTPS is MUST;
  - other authentication methods is MAY.

If that is not what Sergio has in mind, then the draft needs to mandate an
unambiguous and deterministic way of mapping a username/password pair to
an authentication method.

-- Juliusz

v2.8.7 | Report a Bug | By Email