draft-ietf-httpbis-unprompted-auth-03 from David Schinazi on 2023-06-28 (ietf-http-wg@w3.org from April to June 2023)

From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Wed, 28 Jun 2023 13:28:53 -0700
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: Jonathan Hoyland <jonathan.hoyland@gmail.com>, David Oliver <david@guardianproject.info>
Message-ID: <CAPDSy+66LTEunE6_5-RVr1n4HuwZnOQD0RUBkjj7KHUvnxRg0w@mail.gmail.com>

Hello HTTP enthusiasts,

The authors of draft-ietf-httpbis-unprompted-auth collected all the
feedback we received during and since IETF 116, and wrote a new revision
that attempts to address all of it. The major changes from -02 are:

* Instead of defining a new "Unprompted-Authentication" header, we use
Authorization/Proxy-Authorization and instead create a new "Signature" HTTP
auth scheme (we dropped the HMAC option)
* We added the origin, realm, key ID and signature algorithm to the key
exporter context
* We send a portion of exporter output in addition to the signature
* We added a prefix to the signature input to mitigate key reuse issues
(even though reuse is banned)

The updated draft is at:
https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-auth/

We'd love to hear your feedback.

Chairs, we'd like to request agenda time at 117 to go over these latest
changes and discuss any comments/feedback/GitHub issues that might come our
way before then.

Thanks,
David

Received on Wednesday, 28 June 2023 20:29:12 UTC