W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2022

Re: HTTP Unprompted Authentication

From: Ilari Liusvaara <ilariliusvaara@welho.com>
Date: Thu, 13 Oct 2022 23:06:26 +0300
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <Y0hvwiN0qspglhnq@LK-Perkele-VII2.locald>
On Thu, Oct 13, 2022 at 11:58:56AM -0700, David Schinazi wrote:
> Hello HTTP enthusiasts,
> 
> ---------- Forwarded message ---------
> Name:           draft-schinazi-httpbis-unprompted-auth
> Revision:       00
> Title:          HTTP Unprompted Authentication
> Document date:  2022-10-13
> Group:          Individual Submission
> Pages:          9
> URL:
> https://www.ietf.org/archive/id/draft-schinazi-httpbis-unprompted-auth-00.txt

Some quick comments:

- I do not see requirement for TLS 1.3 or Extended Master Secret
  anywhere. It is not safe to use TLS Exporters for authentication
  otherwise.

- There is no requirement to include hash algorithm in signatures.
  There are TLS signature algorithms that mean totally different
  things depending on hash function, and more of those could
  appear in the future. E.g, signatures 7 and 8 already have double
  meaning (EdDSA [hash 8] and some Chinese stuff [hash 7]).

- The signatures do not appear to be contextualized in any way,
  which is questionable. For example, one could use the same
  contextualization mechanism that TLS 1.3 uses (which prepends
  64 spaces, a context label and NUL [one zero octet]).



-Ilari
Received on Thursday, 13 October 2022 20:06:43 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 28 January 2023 21:29:46 UTC