Re: HTTP Unprompted Authentication

Thanks, the link got mangled.  I meant
https://datatracker.ietf.org/doc/draft-schwartz-modern-http-proxies/

On Tue, Oct 18, 2022 at 12:16 PM Ryan Hamilton <rch@google.com> wrote:

> I think [1] should perhaps be
> https://www.ietf.org/id/draft-schwartz-modern-http-proxies-00.html?
>
> On Tue, Oct 18, 2022 at 9:14 AM Ben Schwartz <bemasc@google.com> wrote:
>
>> I support the goals of the Unprompted Authentication draft.  In fact, I'm
>> so supportive that I recently posted a draft that happens to solve an
>> overlapping problem in a very different way: "Modernizing HTTP Forward
>> Proxy Functionality" [1].
>>
>> To step back: confidential HTTP _resources_ are arguably a solved
>> problem.  We can simply place the resource at an unguessable path (e.g.
>> "capability URLs" [2]).  The problem mentioned by this draft occurs when
>> the HTTP service is origin-scoped (e.g. it is not a resource).  The only
>> non-resource HTTP service that I'm aware of is forward proxy
>> functionality.  Thus, one way to improve confidentiality of proxies is to
>> make them path-scoped, and this is what the "Modernizing" draft does.
>>
>> These proposals are not mutually exclusive.  Path-scoped proxies have
>> other benefits, and unprompted authentication could be useful for other
>> services with inflexible paths (e.g. .well-known/ resources).  However,
>> given the overlapping use cases, these drafts should probably be discussed
>> together.
>>
>> --Ben
>>
>> [1]
>> https://datatracker.ietf.org/doc/draft-schwartz-modern-http-proxies/Modernizing
>> HTTP Forward Proxy Functionality
>> [2] https://www.w3.org/TR/capability-urls/
>>
>

Received on Tuesday, 18 October 2022 16:18:23 UTC