Re: Call for Adoption: HTTP Unprompted Authentication from Stephen Farrell on 2023-02-07 (ietf-http-wg@w3.org from January to March 2023)

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Tue, 7 Feb 2023 22:24:39 +0000
To: David Schinazi <dschinazi.ietf@gmail.com>, Christopher Wood <caw@heapingbits.net>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Tommy Pauly <tpauly@apple.com>
Message-ID: <047c7a54-32e1-9582-9f1d-af481eba37de@cs.tcd.ie>


To tidy up: now that john.doe's less threatened again I
support adoption:-)

I also like the sound of one of Chris's suggestions [1]
to make k= less identifying so hope the WG explore that
kind of design as we go.

Cheers,
S.

[1] 
https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/18


On 07/02/2023 22:02, David Schinazi wrote:
> Thank everyone for the review!
> 
> I totally agree that the u= parameter was not intended as a super-cookie
> but instead as a key identifier (i.e. what key should the server use to
> check the HMAC or signature?). Chris's proposal to rename it from u= to k=
> sounds good to me, and also adding text to warn against tracking vectors
> sounds warranted. I've filed [1] to track this.
> 
> I'll jump into potential solutions to these GitHub issues once the adoption
> call is complete.
> 
> Thanks,
> David
> 
> [1]
> https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/23

> 
> On Tue, Feb 7, 2023 at 12:44 PM Christopher Wood <caw@heapingbits.net>
> wrote:
> 
>> I'm supportive of adopting this draft on the basis of the desired use
>> cases. They may be rather niche -- and should likely be added to the draft
>> [0] -- but I understand them to have value.
>>
>> I do have some questions about the technical contents, which I've filed
>> issues to track [1,2,3,4,5]. I'm happy to help seek resolution of those on
>> GitHub.
>>
>> Are there any implementations of this mechanism yet? I would be happy to
>> help provide an implementation of the server piece for interop tests.
>>
>> Best,
>> Chris
>>
>> [0]
>> https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/22

>> [1]
>> https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/17

>> [2]
>> https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/18

>> [3]
>> https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/19

>> [4]
>> https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/20

>> [5]
>> https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/21

>>
>>> On Feb 7, 2023, at 12:58 AM, Mark Nottingham <mnot@mnot.net> wrote:
>>>
>>> Hello everyone,
>>>
>>> We first discussed this draft at IETF114[1],  saw implementation
>> interest at IETF115, [2] and finally had some more list discussion.
>>>
>>> This is a Call for Adoption for:
>>>
>> https://www.ietf.org/archive/id/draft-schinazi-httpbis-unprompted-auth-01.html

>>>
>>> Please indicate (in response to this message) whether you support
>> adoption, and whether you intend to implement.
>>>
>>> The CfA will last for two weeks.
>>>
>>> Cheers,
>>>
>>>
>>> 1.
>> https://httpwg.org/wg-materials/ietf114/minutes.html#transport-auth-david-schinazi

>>> 1. https://httpwg.org/wg-materials/ietf115/minutes.html#unprompted-auth

>>>
>>> --
>>> Mark Nottingham   https://www.mnot.net/

>>>
>>>
>>
>>
>>
>

Attachments

application/pgp-keys attachment: OpenPGP public key

Received on Tuesday, 7 February 2023 22:25:01 UTC