Re: Authentication and TCP Connection State from Yutaka OIWA on 2014-10-05 (ietf-http-wg@w3.org from October to December 2014)

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Sun, 5 Oct 2014 13:09:00 +0900
To: Michael B Allen <ioplex@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAMeZVwv0Pc+OWNF1Eb2QAojqp3eo=7f7VscDX-QtLs2a3TDVkQ@mail.gmail.com>

Dear Michael,

such properties are only true for "some" set of HTTP authentications,
and NTLM is one of them, unfortunately.
It's against the HTTP/1.1 spec and will be broken in HTTP/2.

Some multi-hop HTTP authentications,
especially all of those currently discussed in HTTPAUTH WG
are not associated with any TCP connections,
and will work well with both HTTP/1.1 and HTTP/2.

Workaround for NTLM in HTTP/2 is proposed by
Montenegro's draft, as mentioned in other replies.


2014-10-04 1:10 GMT+09:00 Michael B Allen <ioplex@gmail.com>:
> An HTTP authentication sequence looks something like:
>
>     C: GET /some/thing/6678
>     S: 401 Unauthorized
>        WWW-Authenticate: MyAwsomeAuth XlwYXNzd29yZA...
>
>     C: GET /some/thing/6678
>        Authorization: NTLM MyAwsomeAuth bGxXwYXbxXlYX...
>     S: 200 OK
>
> The way this is implemented on the server is to create some
> authentication state and associate it with the client TCP connection
> using the client's IP and remote port as an index into a map of
> ongoing authentication state objects.
>
> My question is, can HTTP/2 clients submit multiple requests on the
> same TCP connection without waiting for responses?
>
> If yes, how could HTTP authentication possibly work when there would
> be no way to lookup the correct authentication state object associated
> with the submitted auth token?
>
> To be more specific, authentication almost always involves sending the
> client some random data (let's call it a "challenge") that the client
> must then transform using a shared secret and submit that to the
> server (let's call it a "response"). So if the server gets two
> authentication "response" tokens in sequence, how can the server know
> which authentication state object matches the supplied response.
> Meaning it is not possible to match the "response" with it's "ch
> allenge".
>
> Mike
>



-- 
Yutaka OIWA, Ph.D.
          Planning Officer, Research Planning office for IT and Electronics
           (also: Senior Researcher, Research Institute for Secure Systems)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

Received on Sunday, 5 October 2014 04:09:46 UTC