Re: Working Group Last Call: draft-ietf-httpbis-auth-info from Julian Reschke on 2015-03-01 (ietf-http-wg@w3.org from January to March 2015)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 01 Mar 2015 22:44:53 +0100
To: ietf-http-wg@w3.org
CC: Amos Jeffries <squid3@treenet.co.nz>
Message-ID: <54F38855.7030306@gmx.de>

On 2015-02-11 11:10, Amos Jeffries wrote:
> ...
>>> Section 4 uses the term "proxy authentication" referencing RFC 7235.
>>>
>>> In RFC 7235 there is no definition, and only a vague implied explanation
>>> of that term via explaining what the 407 status means.
>>
>> That's a problem of RFC 7235. This spec would be the wrong place to
>> address this.
>>
>> I think proposed text for rfc7235bis would be great.
>>
>>> I believe the text in section 4 should be re-written to match the
>>> per-header descriptions found in RFC 7235 sectio 4.3/4.3 paragraph 2.
>>
>> Not sure how that would improve things.
>>
>>> With mention specifically about how it differs from Authentication-Info
>>> by being hop-by-hop.
>>
>> Hmm, why is it hop-by-hop?
>
>
> First Proxy-Auth* are explicitly hop-by-hop. This not being so violates
> the principle of least surprise.
>
> It would leak the proxies network credentials related data to the client.
>
> With result such as; In a proxy chain of A<-B<-C<-D<-E with different
> authentications happening in the hop D->C and the hop C->B.  If the
> header was treated as end-to-end D would be participating in the B->C
> authentication.
> ...

Now tracked as <https://github.com/httpwg/http-extensions/issues/51>.

Would it be sufficient to steal from 
<http://greenbytes.de/tech/webdav/rfc7235.html#rfc.section.4.3.p.2>:

"Unlike WWW-Authenticate, the Proxy-Authenticate header field applies 
only to the next outbound client on the response chain. This is because 
only the client that chose a given proxy is likely to have the 
credentials necessary for authentication. However, when multiple proxies 
are used within the same administrative domain, such as office and 
regional caching proxies within a large corporate network, it is common 
for credentials to be generated by the user agent and passed through the 
hierarchy until consumed. Hence, in such a configuration, it will appear 
as if Proxy-Authenticate is being forwarded because each proxy will send 
the same challenge set."

rewriting it to:

"However, unlike Authentication-Info, the Proxy-Authentication-Info 
header field applies only to the next outbound client on the response 
chain. This is because only the client that chose a given proxy is 
likely to have the credentials necessary for authentication. However, 
when multiple proxies are used within the same administrative domain, 
such as office and regional caching proxies within a large corporate 
network, it is common for credentials to be generated by the user agent 
and passed through the hierarchy until consumed. Hence, in such a 
configuration, it will appear as if Proxy-Authentication-Info is being 
forwarded because each proxy will send the same challenge set."

?

Best regards, Julian

Received on Sunday, 1 March 2015 21:45:27 UTC