HTTP Unprompted Authentication from David Schinazi on 2022-10-13 (ietf-http-wg@w3.org from October to December 2022)

From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Thu, 13 Oct 2022 11:58:56 -0700
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: David Oliver <david@guardianproject.info>, Jonathan Hoyland <jonathan.hoyland@gmail.com>, Tommy Pauly <tpauly@apple.com>, Mark Nottingham <mnot@mnot.net>
Message-ID: <CAPDSy+4KzCqEg-Nt5geb5n87KbJuD=v8pRpRWTB6NsOwr=Bh5g@mail.gmail.com>

Hello HTTP enthusiasts,

At IETF 114 we presented HTTP Transport Authentication, a new mechanism
that allowed an HTTP client to authenticate to a server without the server
disclosing
the fact that it requires authentication. There was interest in working in
this space,
but a few issues were raised with the name of the document and its
security. We've
addressed those concerns, added Jonathan as co-author, and renamed
the draft to
"HTTP Unprompted Authentication". Please let us know what you think.

Chairs, we'd like to request some agenda time at IETF 115 please.

Link to editor's copy:
https://davidschinazi.github.io/draft-schinazi-httpbis-transport-auth/draft-schinazi-httpbis-unprompted-auth.html

Thanks,
David


---------- Forwarded message ---------
Name:           draft-schinazi-httpbis-unprompted-auth
Revision:       00
Title:          HTTP Unprompted Authentication
Document date:  2022-10-13
Group:          Individual Submission
Pages:          9
URL:
https://www.ietf.org/archive/id/draft-schinazi-httpbis-unprompted-auth-00.txt
Status:
https://datatracker.ietf.org/doc/draft-schinazi-httpbis-unprompted-auth/
Html:
https://www.ietf.org/archive/id/draft-schinazi-httpbis-unprompted-auth-00.html
Htmlized:
https://datatracker.ietf.org/doc/html/draft-schinazi-httpbis-unprompted-auth


Abstract:
   Existing HTTP authentication mechanisms are probeable in the sense
   that it is possible for an unauthenticated client to probe whether an
   origin serves resources that require authentication.  It is possible
   for an origin to hide the fact that it requires authentication by not
   generating Unauthorized status codes, however that only works with
   non-cryptographic authentication schemes: cryptographic schemes (such
   as signatures or message authentication codes) require a fresh nonce
   to be signed, and there is no existing way for the origin to share
   such a nonce without exposing the fact that it serves resources that
   require authentication.  This document proposes a new non-probeable
   cryptographic authentication scheme.

Received on Thursday, 13 October 2022 18:59:22 UTC