From e9b5c52633ae1ce3097d8de3bd34bdbdccb449d5 Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Mon, 18 Mar 2024 14:07:37 +1000 Subject: [PATCH 1/2] Signature Auth: add Signature-Auth-Context header --- draft-ietf-httpbis-unprompted-auth.md | 42 +++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) diff --git a/draft-ietf-httpbis-unprompted-auth.md b/draft-ietf-httpbis-unprompted-auth.md index 63a55320d..92dc8f8bd 100644 --- a/draft-ietf-httpbis-unprompted-auth.md +++ b/draft-ietf-httpbis-unprompted-auth.md @@ -453,8 +453,19 @@ HTTP intermediaries that support this specification have two options: {{output}}}), and forward it to the upstream HTTP server, then the upstream server performs the validation. -The mechanism for the intermediary to communicate this information to the -upstream HTTP server is out of scope for this document. +This document defines the "Signature-Auth-Context" request header field for +this latter purpose. The Signature-Auth-Context header field's value is a +Structured Field Byte Sequence (see {{Section 3.3.5 of +!STRUCTURED-FIELDS=RFC8941}}) that contains the 48-byte key exporter output +(see {{output}}), without any parameters. For example: + +~~~ http-message +NOTE: '\' line wrapping per RFC 8792 + +Signature-Auth-Context: :VGhpcyBleGFtcGxlIFRMUyBleHBvcn\ + RlciBvdXRwdXQgaXMgNDggYnl0ZXMgI/+h: +~~~ +{: #fig-int-hdr-example title="Example Signature-Auth-Context Header Field"} Note that both of these mechanisms require the upstream HTTP server to trust the intermediary. This is usually the case because the intermediary already @@ -535,6 +546,33 @@ Reference: : This document {: spacing="compact"} +## HTTP Field Name + +This document, if approved, requests IANA to register the following entry in +the "Hypertext Transfer Protocol (HTTP) Field Name" registry maintained at +<[](https://www.iana.org/assignments/http-fields/http-fields.xhtml)>: + +Field Name: + +: Signature-Auth-Context + +Template: + +: None + +Status: + +: permanent + +Reference: + +: This document + +Comments: + +: None +{: spacing="compact"} + --- back # Acknowledgments {#acknowledgments} From 50b46d63e3e69d88e661f20226e0e90169ead229 Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Fri, 24 May 2024 11:56:47 -0700 Subject: [PATCH 2/2] Unprompted: Add normative requirement for Signature-Auth-Context --- draft-ietf-httpbis-unprompted-auth.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/draft-ietf-httpbis-unprompted-auth.md b/draft-ietf-httpbis-unprompted-auth.md index 92dc8f8bd..96960bdc1 100644 --- a/draft-ietf-httpbis-unprompted-auth.md +++ b/draft-ietf-httpbis-unprompted-auth.md @@ -470,6 +470,8 @@ Signature-Auth-Context: :VGhpcyBleGFtcGxlIFRMUyBleHBvcn\ Note that both of these mechanisms require the upstream HTTP server to trust the intermediary. This is usually the case because the intermediary already needs access to the TLS certificate private key in order to respond to requests. +HTTP servers that parse the Signature-Auth-Context header field MUST ignore it +unless they have already established that they trust the sender. # Security Considerations {#security}