HTTP Authentication with SASL from Rick van Rein on 2022-10-14 (ietf-http-wg@w3.org from October to December 2022)

From: Rick van Rein <rick@openfortress.nl>
Date: Fri, 14 Oct 2022 15:46:00 +0000
To: ietf-http-wg@w3.org
Message-ID: <20221014154600.GD7248@openfortress.nl>

Hello HTTP WG,

We presented work on HTTP-SASL before, and would like to discuss
it at IETF 115 in London, or take other sufficient steps to allocate
the security mechanism name.  Please note this takes IETF action.

We implemented this work in Apache (two versions) and received an
external contribution for Nginx.  We have it working in FireFox as
an extension.  For those relying on Kerberos5, the web only offers
SPNEGO, which is considered weak, and HTTP-SASL may replace that.
There is excellent potential for automation in HTTP clients, where
the norm is now Basic authentication.

We have had two developers of authentication mechanisms turn to
us, and find to their relief that SASL, which works for most
protocols, can also be used for HTTP.  In other words, we enabled
them to innovate their cryptographic work (and negotiate the
mechanism as part of the customary SASL exchange).

Others who hear about this work (and care about technical mechanisms
for authentication) tend to warmly welcome this approach.  We were
asked before to look for interested parties, and found it.  On top of
that, we rely on it.

Please let us know if you have any comments.  Its design was made
in line with the HTTP Authentication framework, of course, and is
supportive of stateless servers thanks to the "s2s" attribute.


Hope to see you in London,

Rick van Rein
InternetWide.org


    ------    ------    ------    ------    ------    ------    ------

A new version of I-D, draft-vanrein-httpauth-sasl-07.txt
has been successfully submitted by Rick van Rein and posted to the
IETF repository.

Name:		draft-vanrein-httpauth-sasl
Revision:	07
Title:		HTTP Authentication with SASL
Document date:	2022-10-14
Group:		Individual Submission
Pages:		14
URL:            https://www.ietf.org/archive/id/draft-vanrein-httpauth-sasl-07.txt
Status:         https://datatracker.ietf.org/doc/draft-vanrein-httpauth-sasl/
Htmlized:       https://datatracker.ietf.org/doc/html/draft-vanrein-httpauth-sasl
Diff:           https://www.ietf.org/rfcdiff?url2=draft-vanrein-httpauth-sasl-07

Abstract:
   Most application-level protocols standardise their authentication
   exchanges under the SASL framework.  HTTP has taken another course,
   and often ends up replicating the work to allow individual
   mechanisms.  This specification adopts full SASL authentication into
   HTTP.

Received on Friday, 14 October 2022 15:46:22 UTC