Re: Call for Adoption: HTTP Unprompted Authentication from David Schinazi on 2023-02-07 (ietf-http-wg@w3.org from January to March 2023)

From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Tue, 7 Feb 2023 14:02:45 -0800
To: Christopher Wood <caw@heapingbits.net>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Tommy Pauly <tpauly@apple.com>
Message-ID: <CAPDSy+5LSu0RjzsysTVx62-TzGdAGr0Zrn3Y5f8tF_VKBLiKQw@mail.gmail.com>

Thank everyone for the review!

I totally agree that the u= parameter was not intended as a super-cookie
but instead as a key identifier (i.e. what key should the server use to
check the HMAC or signature?). Chris's proposal to rename it from u= to k=
sounds good to me, and also adding text to warn against tracking vectors
sounds warranted. I've filed [1] to track this.

I'll jump into potential solutions to these GitHub issues once the adoption
call is complete.

Thanks,
David

[1]
https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/23

On Tue, Feb 7, 2023 at 12:44 PM Christopher Wood <caw@heapingbits.net>
wrote:

> I'm supportive of adopting this draft on the basis of the desired use
> cases. They may be rather niche -- and should likely be added to the draft
> [0] -- but I understand them to have value.
>
> I do have some questions about the technical contents, which I've filed
> issues to track [1,2,3,4,5]. I'm happy to help seek resolution of those on
> GitHub.
>
> Are there any implementations of this mechanism yet? I would be happy to
> help provide an implementation of the server piece for interop tests.
>
> Best,
> Chris
>
> [0]
> https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/22
> [1]
> https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/17
> [2]
> https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/18
> [3]
> https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/19
> [4]
> https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/20
> [5]
> https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/21
>
> > On Feb 7, 2023, at 12:58 AM, Mark Nottingham <mnot@mnot.net> wrote:
> >
> > Hello everyone,
> >
> > We first discussed this draft at IETF114[1],  saw implementation
> interest at IETF115, [2] and finally had some more list discussion.
> >
> > This is a Call for Adoption for:
> >
> https://www.ietf.org/archive/id/draft-schinazi-httpbis-unprompted-auth-01.html
> >
> > Please indicate (in response to this message) whether you support
> adoption, and whether you intend to implement.
> >
> > The CfA will last for two weeks.
> >
> > Cheers,
> >
> >
> > 1.
> https://httpwg.org/wg-materials/ietf114/minutes.html#transport-auth-david-schinazi
> > 1. https://httpwg.org/wg-materials/ietf115/minutes.html#unprompted-auth
> >
> > --
> > Mark Nottingham   https://www.mnot.net/
> >
> >
>
>
>

Received on Tuesday, 7 February 2023 22:03:10 UTC