On Sun, May 7, 2017 at 2:46 PM, Patrick McManus <[email protected]> wrote:
> This is probably particular to TLS, as the windows auth stuff does apply > more like http basic auth (it returns 401 to bootstrap things, rather than > making a challenge at the session layer with a request in flight) > > wrt tls client auth I would think if the outstanding requests is marked > anonymous we should not allow authentication to proceed if the server sends > a helloRequest (and I have no idea whether we apply that check now or not - > that code hasn't changed in forever) just because that's a nonsenica > combinationl, right? Again, seems like we can handle that as an > implementation issue without drawing a bright line for 99% of the world > that doesn't do connection based client auth and creating a burden on > webdevs to get this junk right in markup. > I think you'd have to handle this by actually tearing down the connection and re-initiating on another one. That said, I'm also worried that there are misguided servers which bind HTTP-level authentication to the TLS connection. Those servers are going to have a bad day if we coalesce... Do we know that there aren't any? -Ekr > On Sun, May 7, 2017 at 5:34 PM, Eric Rescorla <[email protected]> wrote: > >> >> >> On Sun, May 7, 2017 at 2:06 PM, Patrick McManus <[email protected]> >> wrote: >> >>> >>> On Sun, May 7, 2017 at 4:44 PM, Eric Rescorla <[email protected]> wrote: >>> >>>> >>>> Hmm... What about when you have post-handshake auth that retroactively >>>> blesses requests that should have been anonymous? >>>> >>> >>> >>> TLS client auth doesn't retroactively apply. >>> >> >> Not sure I agree here. One of the standard idioms is that the server >> receivesn >> a a sensitive request, then sends HelloRequest, and then when the >> handshake >> completes, delivers the response.I would call that retroactive >> >> -Ekr >> >> >> >> >>> so yeah, when I said every request on that conn I should have said every >>> request on that conn while it is authenticated (and it can change and >>> whatnot, not trying to write a taxonomy here.). windows auth has a similar >>> property that it starts with an unauthenticated connection and a http >>> response at any point could choose to start the authentication dance - but >>> it doesn't apply backwards. You can see why the mulitplexing of h2 booted >>> all this stuff off the island. >>> >>> >>> >> > _______________________________________________ dev-tech-network mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-network
