Re: Éric Vyncke's No Objection on draft-ietf-httpbis-unprompted-auth-11: (with COMMENT) from David Schinazi on 2024-09-17 (ietf-http-wg@w3.org from July to September 2024)

From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Tue, 17 Sep 2024 10:20:52 -0700
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-httpbis-unprompted-auth@ietf.org" <draft-ietf-httpbis-unprompted-auth@ietf.org>, "httpbis-chairs@ietf.org" <httpbis-chairs@ietf.org>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, "tpauly@apple.com" <tpauly@apple.com>
Message-ID: <CAPDSy+5r0hXw9QXHsHZB=4r7++Q+umacDPM2-kprOt_BpP2WKQ@mail.gmail.com>

Hi Eric,

The security properties of the mechanism rely on TLS being secure.
This is mentioned in Section 7 along with minimum TLS version requirements.

Thanks,
David

On Tue, Sep 17, 2024 at 9:24 AM Eric Vyncke (evyncke) <evyncke@cisco.com>
wrote:

> Thank you, David, for the feedback and the explanations.
>
>
>
> I must admit that I have failed to understand how the system work (and
> especially how it cannot be replayed except if the underlying TLS is
> assumed secure).
>
>
>
> -éric
>
>
>
> *From: *David Schinazi <dschinazi.ietf@gmail.com>
> *Date: *Tuesday, 17 September 2024 at 18:16
> *To: *Eric Vyncke (evyncke) <evyncke@cisco.com>
> *Cc: *The IESG <iesg@ietf.org>,
> draft-ietf-httpbis-unprompted-auth@ietf.org <
> draft-ietf-httpbis-unprompted-auth@ietf.org>, httpbis-chairs@ietf.org <
> httpbis-chairs@ietf.org>, ietf-http-wg@w3.org <ietf-http-wg@w3.org>,
> tpauly@apple.com <tpauly@apple.com>
> *Subject: *Re: Éric Vyncke's No Objection on
> draft-ietf-httpbis-unprompted-auth-11: (with COMMENT)
>
> Hi Éric, and thanks for your review.
>
> I've landed this commit in response to your comments:
>
>
> https://github.com/httpwg/http-extensions/commit/6965ae390a3ec2554482fe171c6ab96bb37ab5ea
>
> More detailed responses inline below.
>
> David
>
>
>
> On Tue, Sep 17, 2024 at 3:13 AM Éric Vyncke via Datatracker <
> noreply@ietf.org> wrote:
>
> Éric Vyncke has entered the following ballot position for
> draft-ietf-httpbis-unprompted-auth-11: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to
> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
> for more information about how to handle DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-auth/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
>
> # Éric Vyncke, INT AD, comments for draft-ietf-httpbis-unprompted-auth-11
>
> Thank you for the work put into this document.
>
> Please find below some non-blocking COMMENT points (but replies would be
> appreciated even if only for my own education).
>
> Special thanks to Tommy Pauly for the shepherd's detailed write-up
> including
> the WG consensus and the justification of the intended status.
>
> I hope that this review helps to improve the document,
>
> Regards,
>
> -éric
>
> # COMMENTS (non-blocking)
>
> I learned a new English word "probeable", which I misread as "probable"
> several
> times :-) "Unprompted" was clearer IMHO but this is cosmetic.
>
>
>
> I agree with you, in part because my laptop keeps wanting to autocorrect
>
> "probeable" to "probable" :-). I wasn't able to find a better word, since
>
> "unprompted" is not an alternative here. I'm open to suggestions.
>
>
>
> ## Section 1
>
> A time diagram of all exchanges will be welcome by the readers, e.g.,
> setting
> up the TLS session, client sending its key context, (exchange between
> frontend
> and backend), then (if I understand correctly) the actual authentication
> taking
> place with a nonce, then actual data transfer.
>
>
>
> There's pretty much only one exchange which is:
>
> client ----Authorization----> server.
>
> The second one we can add is that when frontend and backend are split
>
> (which is rare) then it's:
>
> client ----Authorization----> frontend
> -----Authorization+context---->backend.
>
> Not sure if that diagram would help much though.
>
>
>
> ## Section 3.1
>
> Suggest to add a reference to the syntax used in Figure 1.
>
>
>
> Agree, I added one.
>
>
>
> s/s Parameter/"s" Parameter/ ? and similar for "k", ... Noting that this
> notation is used in section 4.
>
>
>
> The HTTP style guide [1] recommends using double quotes when defining
> header
>
> fields (and by extension, parameters) and not using double quotes when
> referring
>
> to them. We followed that in this document, so we use double quotes in
>
> section 4, on no quotes in other sections.
>
>
>
> [1] https://httpwg.org/admin/editors/style-guide#header-and-trailer-fields
>
>
>
> ## Why not mTLS ?
>
> Should there be a comparaison with mutually authenticated TLS ? I
> understand
> that mTLS and this I-D work at different layers but mTLS could also be
> used for
> similar purposes.
>
>
>
> mTLS is visible from network operators, and it is probeable by clients, so
> it
>
> doesn't fit the requirements. We could mention this, but that also applies
> to
>
> many other authentication systems, so I'd rather not list every single one
> here.
>

Received on Tuesday, 17 September 2024 17:21:08 UTC