HTTP Transport AuthenticationGoogle LLC1600 Amphitheatre ParkwayMountain View, California 94043United States of Americadschinazi.ietf@gmail.comInternet-DraftThe most common existing authentication mechanisms for HTTP are sent with each
HTTP request, and authenticate that request instead of the underlying HTTP
connection, or transport. While these mechanisms work well for existing uses
of HTTP, they are not suitable for emerging applications that multiplex
non-HTTP traffic inside an HTTP connection. This document describes the HTTP
Transport Authentication Framework, a method of authenticating not only an
HTTP request, but also its underlying transport.The most common existing authentication mechanisms for HTTP are sent with each
HTTP request, and authenticate that request instead of the underlying HTTP
connection, or transport. While these mechanisms work well for existing uses
of HTTP, they are not suitable for emerging applications that multiplex
non-HTTP traffic inside an HTTP connection. This document describes the HTTP
Transport Authentication Framework, a method of authenticating not only an
HTTP request, but also its underlying transport.Traditional HTTP semantics specify that HTTP is a stateless protocol where
each request can be understood in isolation . However, the
emergence of QUIC as a new transport protocol
that can carry HTTP and the existence of QUIC
extensions such as the DATAGRAM frame enable new
uses of HTTP such as and
where some traffic is exchanged that is disctinct
from HTTP requests and responses. In order to authenticate this traffic, it
is necessary to authenticate the underlying transport (e.g., QUIC or
TLS ) instead of authenticate each request individually. This
mechanism aims to supplement the HTTP Authentication Framework ,
not replace it.Note that there is currently no mechanism for origin servers to request
that user agents authenticate themselves using Transport Authentication,
this is left as future work.The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”,
“SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this
document are to be interpreted as described in BCP 14
when, and only when, they appear in all capitals, as shown here.This document uses the Augmented BNF defined in and updated by
along with the “#rule” extension defined in Section 7 of
. The rules below are defined in , ,
, and :This document only defines Transport Authentication for uses of HTTP with TLS.
This includes any use of HTTP over TLS as typically used for HTTP/2, or
HTTP/3 where the transport protocol uses TLS as its authentication and key
exchange mechanism .The user agent leverages a TLS keying material exporter to
generate a nonce which can be signed using the user-id’s key. The keying
material exporter uses a label that starts with the characters
“EXPORTER-HTTP-Transport-Authentication-“ (see for the labels
and contexts used by each scheme). The TLS keying material exporter is
used to generate a 32-byte key which is then used as a nonce.The “Transport-Authentication” header allows a user agent to authenticate
its transport connection with an origin server.The OPTIONAL “u” (user-id) directive specifies the user-id that the user
agent wishes to authenticate. It is encoded using
Base64 (Section 4 of ).The OPTIONAL “p” (proof) directive specifies the proof that the user agent
provides to attest to possessing the credential that matches its user-id.
It is encoded using Base64 (Section 4 of ).The OPTIONAL “a” (algorithm) directive specifies the algorithm used to compute
the proof transmitted in the “p” directive.The Transport Authentication Framework allows defining Transport
Authentication Schemes, which specify how to authenticate user-ids. This
documents defined the “Signature” and “HMAC” schemes.The “Signature” Transport Authentication Scheme uses asymmetric cyptography.
User agents possess a user-id and a public/private key pair, and origin
servers maintain a mapping of authorized user-ids to their associated public
keys. When using this scheme, the “u”, “p”, and “a” directives are REQUIRED.
The TLS keying material export label for this scheme is
“EXPORTER-HTTP-Transport-Authentication-Signature” and the associated
context is empty. The nonce is then signed using the selected asymmetric
signature algorithm and transmitted as the proof directive.For example, the user-id “john.doe” authenticating using Ed25519
could produce the following header (lines are folded to fit):The “HMAC” Transport Authentication Scheme uses symmetric cyptography.
User agents possess a user-id and a secret key, and origin servers maintain a
mapping of authorized user-ids to their associated secret key. When using this
scheme, the “u”, “p”, and “a” directives are REQUIRED.
The TLS keying material export label for this scheme is
“EXPORTER-HTTP-Transport-Authentication-HMAC” and the associated
context is empty. The nonce is then HMACed using the selected HMAC algorithm
and transmitted as the proof directive.For example, the user-id “john.doe” authenticating using
HMAC-SHA-512 could produce the following
header (lines are folded to fit):Since Transport Authentication authenticates the underlying transport by
leveraging TLS keying material exporters, it cannot be transparently
forwarded by proxies that terminate TLS. However it can be sent over
proxied connections when TLS is performed end-to-end (e.g., when using
HTTP CONNECT proxies).Transport Authentication allows a user-agent to authenticate to an origin
server while guaranteeing freshness and without the need for the server
to transmit a nonce to the user agent. This allows the server to accept
authenticated clients without revealing that it supports or expects
authentication for some resources. It also allows authentication without
the user agent leaking the presence of authentication to observers due to
clear-text TLS Client Hello extensions.This document, if approved, requests IANA to register the
“Transport-Authentication” header in the “Permanent Message Header Field Names”
registry maintained at
https://www.iana.org/assignments/message-headers/.This document, if approved, requests IANA to create a new HTTP Transport
Authentication Schemes Registry with the following entries:This document, if approved, requests IANA to register the following entries in
the “TLS Exporter Labels” registry maintained at
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labelsBoth of these entries are listed with the following qualifiers:Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and RoutingThe Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document provides an overview of HTTP architecture and its associated terminology, defines the "http" and "https" Uniform Resource Identifier (URI) schemes, defines the HTTP/1.1 message syntax and parsing requirements, and describes related security concerns for implementations.The Transport Layer Security (TLS) Protocol Version 1.3This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.Hypertext Transfer Protocol (HTTP/1.1): AuthenticationThe Hypertext Transfer Protocol (HTTP) is a stateless application- level protocol for distributed, collaborative, hypermedia information systems. This document defines the HTTP Authentication framework.Key words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.Augmented BNF for Syntax Specifications: ABNFInternet technical specifications often need to define a formal syntax. Over the years, a modified version of Backus-Naur Form (BNF), called Augmented BNF (ABNF), has been popular among many Internet specifications. The current specification documents ABNF. It balances compactness and simplicity with reasonable representational power. The differences between standard BNF and ABNF involve naming rules, repetition, alternatives, order-independence, and value ranges. This specification also supplies additional rule definitions and encoding for a core lexical analyzer of the type common to several Internet specifications. [STANDARDS-TRACK]Case-Sensitive String Support in ABNFThis document extends the base definition of ABNF (Augmented Backus-Naur Form) to include a way to specify US-ASCII string literals that are matched in a case-sensitive manner.A URN Namespace of Object IdentifiersThis document describes a Uniform Resource Name (URN) namespace that contains Object Identifiers (OIDs). This memo provides information for the Internet community.Keying Material Exporters for Transport Layer Security (TLS)A number of protocols wish to leverage Transport Layer Security (TLS) to perform key establishment but then use some of the keying material for their own purposes. This document describes a general mechanism for allowing that. [STANDARDS-TRACK]The Base16, Base32, and Base64 Data EncodingsThis document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK]QUIC: A UDP-Based Multiplexed and Secure TransportThis document defines the core of the QUIC transport protocol. Accompanying documents describe QUIC's loss detection and congestion control and the use of TLS for key negotiation. Note to Readers Discussion of this draft takes place on the QUIC working group mailing list (quic@ietf.org), which is archived at <https://mailarchive.ietf.org/arch/search/?email_list=quic>. Working Group information can be found at <https://github.com/ quicwg>; source code and issues list for this draft can be found at <https://github.com/quicwg/base-drafts/labels/-transport>.Hypertext Transfer Protocol Version 3 (HTTP/3)The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment. This document describes a mapping of HTTP semantics over QUIC. This document also identifies HTTP/2 features that are subsumed by QUIC, and describes how HTTP/2 extensions can be ported to HTTP/3.An Unreliable Datagram Extension to QUICThis document defines an extension to the QUIC transport protocol to add support for sending and receiving unreliable datagrams over a QUIC connection.WebTransport over HTTP/3WebTransport [OVERVIEW] is a protocol framework that enables clients constrained by the Web security model to communicate with a remote server using a secure multiplexed transport. This document describes Http3Transport, a WebTransport protocol that is based on HTTP/3 [HTTP3] and provides support for unidirectional streams, bidirectional streams and datagrams, all multiplexed within the same HTTP/3 connection.The MASQUE ProtocolThis document describes MASQUE (Multiplexed Application Substrate over QUIC Encryption). MASQUE is a mechanism that allows co-locating and obfuscating networking applications behind an HTTPS web server. The currently prevalent use-case is to allow running a VPN server that is indistinguishable from an HTTPS server to any unauthenticated observer. We do not expect major providers and CDNs to deploy this behind their main TLS certificate, as they are not willing to take the risk of getting blocked, as shown when domain fronting was blocked. An expected use would be for individuals to enable this behind their personal websites via easy to configure open-source software. This document is a straw-man proposal. It does not contain enough details to implement the protocol, and is currently intended to spark discussions on the approach it is taking. As we have not yet found a home for this work, discussion is encouraged to happen on the GitHub repository which contains the draft: https://github.com/DavidSchinazi/masque-drafts [1].Using TLS to Secure QUICThis document describes how Transport Layer Security (TLS) is used to secure QUIC. Note to Readers Discussion of this draft takes place on the QUIC working group mailing list (quic@ietf.org), which is archived at https://mailarchive.ietf.org/arch/search/?email_list=quic [1]. Working Group information can be found at https://github.com/quicwg [2]; source code and issues list for this draft can be found at https://github.com/quicwg/base-drafts/labels/-tls [3].Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key InfrastructureThis document specifies algorithm identifiers and ASN.1 encoding formats for elliptic curve constructs using the curve25519 and curve448 curves. The signature algorithms covered are Ed25519 and Ed448. The key agreement algorithms covered are X25519 and X448. The encoding for public key, private key, and Edwards-curve Digital Signature Algorithm (EdDSA) structures is provided.US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)Federal Information Processing Standard, FIPSSignature Authentication in the Internet Key Exchange Version 2 (IKEv2)The Internet Key Exchange Version 2 (IKEv2) protocol has limited support for the Elliptic Curve Digital Signature Algorithm (ECDSA). The current version only includes support for three Elliptic Curve groups, and there is a fixed hash algorithm tied to each group. This document generalizes IKEv2 signature support to allow any signature method supported by PKIX and also adds signature hash algorithm negotiation. This is a generic mechanism and is not limited to ECDSA; it can also be used with other signature algorithms.The authors would like to thank many members of the IETF community, as this
document is the fruit of many hallway conversations. Using the OID for the
signature and HMAC algorithms was inspired by Signature Authentication in
IKEv2 .