Hi David + authors, I haven't been tracking the work progress closely, my impressions from reading 03 are that I really like the (re)use of HTTP's Authorization framework. This makes it easier to compare with other schemes and, I hope, makes it easier to rationalize about behaviours. Thanks for doing this change. Cheers, Lucas On Wed, Jun 28, 2023 at 9:30 PM David Schinazi <dschinazi.ietf@gmail.com> wrote: > Hello HTTP enthusiasts, > > The authors of draft-ietf-httpbis-unprompted-auth collected all the > feedback we received during and since IETF 116, and wrote a new revision > that attempts to address all of it. The major changes from -02 are: > > * Instead of defining a new "Unprompted-Authentication" header, we use > Authorization/Proxy-Authorization and instead create a new "Signature" HTTP > auth scheme (we dropped the HMAC option) > * We added the origin, realm, key ID and signature algorithm to the key > exporter context > * We send a portion of exporter output in addition to the signature > * We added a prefix to the signature input to mitigate key reuse issues > (even though reuse is banned) > > The updated draft is at: > https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-auth/ > > We'd love to hear your feedback. > > Chairs, we'd like to request agenda time at 117 to go over these latest > changes and discuss any comments/feedback/GitHub issues that might come our > way before then. > > Thanks, > David >
Received on Wednesday, 28 June 2023 22:20:28 UTC