<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.39 (Ruby 2.6.4) -->
<?rfc-ext html-pretty-print="prettyprint https://cdn.rawgit.com/google/code-prettify/master/loader/run_prettify.js"?>
<rfc xmlns:x="http://purl.org/net/xml2rfc/ext"
      category="std"
      consensus="true"
      docName="draft-ietf-httpbis-unprompted-auth-01"
      ipr="trust200902"
      sortRefs="true"
      submissionType="IETF"
      symRefs="true"
      tocInclude="true">
   <x:feedback template="mailto:ietf-http-wg@w3.org?subject={docname},%20%22{section}%22\&amp;amp;body=%3c{ref}%3e:"/>
   <front>
      <title>HTTP Unprompted Authentication</title>
      <author fullname="David Schinazi" initials="D." surname="Schinazi">
         <organization>Google LLC</organization>
         <address>
            <postal>
               <street>1600 Amphitheatre Parkway</street>
               <city>Mountain View</city>
               <region>CA</region>
               <code>94043</code>
               <country>United States of America</country>
            </postal>
            <email>dschinazi.ietf@gmail.com</email>
         </address>
      </author>
      <author fullname="David M. Oliver" initials="D." surname="Oliver">
         <organization>Guardian Project</organization>
         <address>
            <email>david@guardianproject.info</email>
            <uri>https://guardianproject.info</uri>
         </address>
      </author>
      <author fullname="Jonathan Hoyland" initials="J." surname="Hoyland">
         <organization>Cloudflare Inc.</organization>
         <address>
            <email>jonathan.hoyland@gmail.com</email>
         </address>
      </author>
      <date day="4" month="February" year="2023"/>
      <area>Applications and Real-Time</area>
      <workgroup>HTTPBIS</workgroup>
      <keyword>secure</keyword>
      <keyword>tunnels</keyword>
      <keyword>masque</keyword>
      <keyword>http-ng</keyword>
      <abstract><?line 56?>
         <t>Existing HTTP authentication mechanisms are probeable in the sense that it is possible for an unauthenticated client to probe whether an origin serves resources that require authentication. It is possible for an origin to hide the fact that it requires authentication by not generating Unauthorized status codes, however that only works with non-cryptographic authentication schemes: cryptographic schemes (such as signatures or message authentication codes) require a fresh nonce to be signed, and there is no existing way for the origin to share such a nonce without exposing the fact that it serves resources that require authentication. This document proposes a new non-probeable cryptographic authentication scheme.</t>
      </abstract>
      <note removeInRFC="true" title="About This Document">
         <t>Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-auth/"/>.</t>
         <t>Discussion of this document takes place on the HTTP Working Group mailing list (<eref target="mailto:ietf-http-wg@w3.org"/>), which is archived at <eref target="https://lists.w3.org/Archives/Public/ietf-http-wg/"/>. Working Group information can be found at <eref target="https://httpwg.org/"/>.</t>
         <t>Source for this draft and an issue tracker can be found at <eref target="https://github.com/httpwg/http-extensions/labels/unprompted-auth"/>.</t>
      </note>
   </front>
   <middle><?line 69?>
      <section anchor="introduction">
         <name>Introduction</name>
         <t>Existing HTTP authentication mechanisms (see <xref section="11" sectionFormat="of" target="HTTP"/>) are probeable in the sense that it is possible for an unauthenticated client to probe whether an origin serves resources that require authentication. It is possible for an origin to hide the fact that it requires authentication by not generating Unauthorized status codes, however that only works with non-cryptographic authentication schemes: cryptographic schemes (such as signatures or message authentication codes) require a fresh nonce to be signed, and there is no existing way for the origin to share such a nonce without exposing the fact that it serves resources that require authentication. This document proposes a new non-probeable cryptographic authentication scheme.</t>
         <t>Unprompted Authentication serves use cases in which a site wants to offer a service or capability only to "those who know" while all others are given no indication the service or capability exists. The conceptual model is that of a "speakeasy". "Knowing" is via an externally-defined mechanism by which keys are distributed. For example, a company might offer remote employee access to company services directly via its website using their employee credentials, or offer access to limited special capabilities for specific employees, while making discovering (probing for) such capabilities difficult. Members of less well-defined communities might use more ephemeral keys to acquire access to geography- or capability-specific resources, as issued by an entity whose user base is larger than the available resources can support (by having that entity metering the availability of keys temporally or geographically). Unprompted Authentication is also useful for cases where a service provider wants to distribute user-provisioning information for its resources without exposing the provisioning location to non-users.</t>
         <t>There are scenarios where servers may want to expose the fact that authentication is required for access to specific resources. This is left for future work.</t>
         <section anchor="conventions">
            <name>Conventions and Definitions</name>
            <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/>
               <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t>
            <?line -18?>
            <t>This document uses the following terminology from <xref section="3" sectionFormat="of" target="STRUCTURED-FIELDS"/> to specify syntax and parsing: Integer and Byte Sequence.</t>
         </section>
      </section>
      <section anchor="compute-proof">
         <name>Computing the Authentication Proof</name>
         <t>This document only defines the Signature and HMAC authentication schemes for uses of HTTP with TLS <xref target="TLS"/>. This includes any use of HTTP over TLS as typically used for HTTP/2 <xref target="H2"/>, or HTTP/3 <xref target="H3"/> where the transport protocol uses TLS as its authentication and key exchange mechanism <xref target="QUIC-TLS"/>.</t>
         <t>The user agent leverages a TLS keying material exporter <xref target="KEY-EXPORT"/> to generate a nonce which can be signed using the chosen key. The keying material exporter uses a label that starts with the characters "EXPORTER-HTTP-Unprompted-Authentication-" (see <xref target="schemes"/> for the labels and contexts used by each scheme). The TLS keying material exporter is used to generate a 32-byte key which is then used as a nonce.</t>
         <t>Because the TLS keying material exporter is only secure for authentication when it is uniquely bound to the TLS session <xref target="RFC7627"/>, the Signature and HMAC authentication schemes require either one of the following properties:</t>
         <t>
            <list style="symbols">
               <t>The TLS version in use is greater or equal to 1.3 <xref target="TLS"/>.</t>
               <t>The TLS version in use is greater or equal to 1.2 and the Extended Master Secret extension <xref target="RFC7627"/> has been negotiated.</t>
            </list>
         </t>
         <t>Clients <bcp14>MUST NOT</bcp14> use the Signature and HMAC authentication schemes on connections that do not meet one of the two properties above. If a server receives a request that uses these authentication schemes on a connection that meets neither of the above properties, the server <bcp14>MUST</bcp14> treat the request as malformed.</t>
      </section>
      <section anchor="header-definition">
         <name>Header Field Definition</name>
         <t>The "Unprompted-Authentication" header field allows a user agent to authenticate with an origin server. The authentication is scoped to the HTTP request associated with this header field. The value of the Unprompted-Authentication header field is a credentials object, as defined in <xref section="11.4" sectionFormat="of" target="HTTP"/>. Credentials contain an authentication scheme followed by optional authentication parameters.</t>
      </section>
      <section anchor="authentication-parameters">
         <name>Authentication Parameters</name>
         <t>This specification defines the following authentication parameters, they can be used by the authentication schemes defined in <xref target="schemes"/>.</t>
         <section anchor="parameter-k">
            <name>The k Parameter</name>
            <t>The <bcp14>OPTIONAL</bcp14> "k" (key ID) parameter is a byte sequence that identifies which key the user agent wishes to use to authenticate. This can for example be used to point to an entry into a server-side database of known keys.</t>
         </section>
         <section anchor="parameter-p">
            <name>The p Parameter</name>
            <t>The <bcp14>OPTIONAL</bcp14> "p" (proof) parameter is a byte sequence that specifies the proof that the user agent provides to attest to possessing the credential that matches its key ID.</t>
         </section>
         <section anchor="parameter-s">
            <name>The s Parameter</name>
            <t>The <bcp14>OPTIONAL</bcp14> "s" (signature) parameter is an integer that specifies the signature algorithm used to compute the proof transmitted in the "p" directive. Its value is an integer between 0 and 255 inclusive from the IANA "TLS SignatureAlgorithm" registry maintained at &lt;<eref target="https://www.iana.org/assignments/tls-parameters#tls-parameters-16"/>&gt;.</t>
         </section>
         <section anchor="parameter-h">
            <name>The h Parameter</name>
            <t>The <bcp14>OPTIONAL</bcp14> "h" (hash) parameter is an integer that specifies the hash algorithm used to compute the proof transmitted in the "p" directive. Its value is an integer between 0 and 255 inclusive from the IANA "TLS HashAlgorithm" registry maintained at &lt;<eref target="https://www.iana.org/assignments/tls-parameters#tls-parameters-18"/>&gt;.</t>
         </section>
      </section>
      <section anchor="schemes">
         <name>Authentication Schemes</name>
         <t>This document defines the "Signature" and "HMAC" HTTP authentication schemes.</t>
         <section anchor="signature">
            <name>Signature</name>
            <t>The "Signature" HTTP Authentication Scheme uses asymmetric cryptography. User agents possess a key ID and a public/private key pair, and origin servers maintain a mapping of authorized key IDs to their associated public keys. When using this scheme, the "k", "p", and "s" parameters are <bcp14>REQUIRED</bcp14>. The TLS keying material export label for this scheme is "EXPORTER-HTTP-Unprompted-Authentication-Signature" and the associated context is empty. The nonce is then signed using the selected asymmetric signature algorithm and transmitted as the proof directive.</t>
            <t>For example, the key ID "basement" authenticating using Ed25519 <xref target="ED25519"/> could produce the following header field (lines are folded to fit):</t>
            <figure>
               <artwork>
Unprompted-Authentication: Signature k=:YmFzZW1lbnQ=:;s=7;
p=:SW5zZXJ0IHNpZ25hdHVyZSBvZiBub25jZSBoZXJlIHdo
aWNoIHRha2VzIDUxMiBiaXRzIGZvciBFZDI1NTE5IQ==:
</artwork>
            </figure>
         </section>
         <section anchor="hmac">
            <name>HMAC</name>
            <t>The "HMAC" HTTP Authentication Scheme uses symmetric cryptography. User agents possess a key ID and a secret key, and origin servers maintain a mapping of authorized key IDs to their associated secret key. When using this scheme, the "k", "p", and "h" parameters are <bcp14>REQUIRED</bcp14>. The TLS keying material export label for this scheme is "EXPORTER-HTTP-Unprompted-Authentication-HMAC" and the associated context is empty. The nonce is then HMACed using the selected HMAC algorithm and transmitted as the proof directive.</t>
            <t>For example, the key ID "basement" authenticating using HMAC-SHA-512 <xref target="SHA"/> could produce the following header field (lines are folded to fit):</t>
            <figure>
               <artwork>
Unprompted-Authentication: HMAC k="YmFzZW1lbnQ=";h=6;
p="SW5zZXJ0IEhNQUMgb2Ygbm9uY2UgaGVyZSB3aGljaCB0YWtl
cyA1MTIgYml0cyBmb3IgU0hBLTUxMiEhISEhIQ=="
</artwork>
            </figure>
         </section>
         <section anchor="other-http-authentication-schemes">
            <name>Other HTTP Authentication Schemes</name>
            <t>The HTTP Authentication Scheme registry maintained by IANA at &lt;<eref target="https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml"/>&gt; contains entries not defined in this document. Those entries <bcp14>MAY</bcp14> be used with Unprompted Authentication.</t>
         </section>
      </section>
      <section anchor="server-handling">
         <name>Server Handling</name>
         <t>Servers that wish to introduce resources whose existence cannot be probed need to ensure that they do not reveal any information about those resources to unauthenticated clients. In particular, such servers <bcp14>MUST</bcp14> respond to authentication failures with the exact same response that they would have used for non-existent resources. For example, this can mean using HTTP status code 404 (Not Found) instead of 401 (Unauthorized). Such authentication failures can be caused for example by: * absence of the Unprompted-Authentication field * failure to parse the Unprompted-Authentication field * use of Unprompted Authentication with an unknown key ID * failure to validate the signature or MAC.</t>
         <t>Such servers <bcp14>MUST</bcp14> also ensure that the timing of their request handling does not leak any information. This can be accomplished by delaying responses to all non-existent resources such that the timing of the authentication verification is not observable.</t>
      </section>
      <section anchor="intermediary">
         <name>Intermediary Considerations</name>
         <t>Since the Signature and HMAC HTTP Authentication Schemes leverage TLS keying material exporters, their output cannot be transparently forwarded by HTTP intermediaries. HTTP intermediaries that support this specification have two options:</t>
         <t>
            <list style="symbols">
               <t>The intermediary can validate the authentication received from the client, then inform the upstream HTTP server of the presence of valid authentication.</t>
               <t>The intermediary can export the nonce (see <xref target="compute-proof"/>}), and forward it to the upstream HTTP server, then the upstream server performs the validation.</t>
            </list>
         </t>
         <t>The mechanism for the intermediary to communicate this information to the upstream HTTP server is out of scope for this document.</t>
      </section>
      <section anchor="security">
         <name>Security Considerations</name>
         <t>Unprompted Authentication allows a user agent to authenticate to an origin server while guaranteeing freshness and without the need for the server to transmit a nonce to the user agent. This allows the server to accept authenticated clients without revealing that it supports or expects authentication for some resources. It also allows authentication without the user agent leaking the presence of authentication to observers due to clear-text TLS Client Hello extensions.</t>
         <t>The authentication proofs described in this document are not bound to individual HTTP requests; if the key is used for authentication proofs on multiple requests they will all be identical. This allows for better compression when sending over the wire, but implies that client implementations that multiplex different security contexts over a single HTTP connection need to ensure that those contexts cannot read each other's header fields. Otherwise, one context would be able to replay the unprompted authentication header field of another. This constraint is met by modern Web browsers. If an attacker were to compromise the browser such that it could access another context's memory, the attacker might also be able to access the corresponding key, so binding authentication to requests would not provide much benefit in practice.</t>
         <t>Key material used for authentication in unprompted authentication, whether symmetric or asymmetric <bcp14>MUST NOT</bcp14> be reused in other protocols. Doing so can undermine the security guarantees of the authentication.</t>
         <t>Sites offering Unprompted Authentication are able to link requests that use the same key for the Authentication Schemes provided. However, requests are not linkable across other sites if the keys used are private to the individual sites using Unprompted Authentication.</t>
      </section>
      <section anchor="iana">
         <name>IANA Considerations</name>
         <section anchor="iana-header">
            <name>Unprompted-Authentication Header Field</name>
            <t>This document will request IANA to register the following entry in the "HTTP Field Name" registry maintained at &lt;<eref target="https://www.iana.org/assignments/http-fields"/>&gt;:</t>
            <dl spacing="compact">
               <dt>Field Name:</dt>
               <dd>
                  <t>Unprompted-Authentication</t>
               </dd>
               <dt>Template:</dt>
               <dd>
                  <t>None</t>
               </dd>
               <dt>Status:</dt>
               <dd>
                  <t>provisional (permanent if this document is approved)</t>
               </dd>
               <dt>Reference:</dt>
               <dd>
                  <t>This document</t>
               </dd>
               <dt>Comments:</dt>
               <dd>
                  <t>None</t>
               </dd>
            </dl>
         </section>
         <section anchor="iana-schemes">
            <name>HTTP Authentication Schemes Registry</name>
            <t>This document, if approved, requests IANA to add two new entries to the "HTTP Authentication Schemes" Registry maintained at &lt;<eref target="https://www.iana.org/assignments/http-authschemes"/>&gt;. Both entries have the Reference set to this document, and the Notes empty. The Authentication Scheme Name of the entries are:</t>
            <t>
               <list style="symbols">
                  <t>Signature</t>
                  <t>HMAC</t>
               </list>
            </t>
         </section>
         <section anchor="iana-exporter-label">
            <name>TLS Keying Material Exporter Labels</name>
            <t>This document, if approved, requests IANA to register the following entries in the "TLS Exporter Labels" registry maintained at &lt;<eref target="https://www.iana.org/assignments/tls-parameters#exporter-labels"/>&gt;:</t>
            <t>
               <list style="symbols">
                  <t>EXPORTER-HTTP-Unprompted-Authentication-Signature</t>
                  <t>EXPORTER-HTTP-Unprompted-Authentication-HMAC</t>
               </list>
            </t>
            <t>Both of these entries are listed with the following qualifiers:</t>
            <dl spacing="compact">
               <dt>DTLS-OK:</dt>
               <dd>
                  <t>N</t>
               </dd>
               <dt>Recommended:</dt>
               <dd>
                  <t>Y</t>
               </dd>
               <dt>Reference:</dt>
               <dd>
                  <t>This document</t>
               </dd>
            </dl>
         </section>
      </section>
   </middle>
   <back>
      <displayreference target="H2" to="HTTP/2"/>
      <displayreference target="H3" to="HTTP/3"/>
      <references title="Normative References">
         <reference anchor="HTTP">
            <front>
               <title>HTTP Semantics</title>
               <author fullname="R. Fielding"
                        initials="R."
                        role="editor"
                        surname="Fielding"/>
               <author fullname="M. Nottingham"
                        initials="M."
                        role="editor"
                        surname="Nottingham"/>
               <author fullname="J. Reschke"
                        initials="J."
                        role="editor"
                        surname="Reschke"/>
               <date month="June" year="2022"/>
            </front>
            <seriesInfo name="STD" value="97"/>
            <seriesInfo name="RFC" value="9110"/>
            <seriesInfo name="DOI" value="10.17487/RFC9110"/>
         </reference>
         <reference anchor="RFC2119">
            <front>
               <title>Key words for use in RFCs to Indicate Requirement Levels</title>
               <author fullname="S. Bradner" initials="S." surname="Bradner"/>
               <date month="March" year="1997"/>
            </front>
            <seriesInfo name="BCP" value="14"/>
            <seriesInfo name="RFC" value="2119"/>
            <seriesInfo name="DOI" value="10.17487/RFC2119"/>
         </reference>
         <reference anchor="RFC8174">
            <front>
               <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
               <author fullname="B. Leiba" initials="B." surname="Leiba"/>
               <date month="May" year="2017"/>
            </front>
            <seriesInfo name="BCP" value="14"/>
            <seriesInfo name="RFC" value="8174"/>
            <seriesInfo name="DOI" value="10.17487/RFC8174"/>
         </reference>
         <reference anchor="STRUCTURED-FIELDS">
            <front>
               <title>Structured Field Values for HTTP</title>
               <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
               <author fullname="P-H. Kamp" surname="P-H. Kamp"/>
               <date month="February" year="2021"/>
            </front>
            <seriesInfo name="RFC" value="8941"/>
            <seriesInfo name="DOI" value="10.17487/RFC8941"/>
         </reference>
         <reference anchor="TLS">
            <front>
               <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
               <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
               <date month="August" year="2018"/>
            </front>
            <seriesInfo name="RFC" value="8446"/>
            <seriesInfo name="DOI" value="10.17487/RFC8446"/>
         </reference>
         <reference anchor="KEY-EXPORT">
            <front>
               <title>Keying Material Exporters for Transport Layer Security (TLS)</title>
               <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
               <date month="March" year="2010"/>
            </front>
            <seriesInfo name="RFC" value="5705"/>
            <seriesInfo name="DOI" value="10.17487/RFC5705"/>
         </reference>
         <reference anchor="RFC7627">
            <front>
               <title>Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension</title>
               <author fullname="K. Bhargavan"
                        initials="K."
                        role="editor"
                        surname="Bhargavan"/>
               <author fullname="A. Delignat-Lavaud"
                        initials="A."
                        surname="Delignat-Lavaud"/>
               <author fullname="A. Pironti" initials="A." surname="Pironti"/>
               <author fullname="A. Langley" initials="A." surname="Langley"/>
               <author fullname="M. Ray" initials="M." surname="Ray"/>
               <date month="September" year="2015"/>
            </front>
            <seriesInfo name="RFC" value="7627"/>
            <seriesInfo name="DOI" value="10.17487/RFC7627"/>
         </reference>
      </references>
      <references title="Informative References">
         <reference anchor="H2">
            <front>
               <title>HTTP/2</title>
               <author fullname="M. Thomson"
                        initials="M."
                        role="editor"
                        surname="Thomson"/>
               <author fullname="C. Benfield"
                        initials="C."
                        role="editor"
                        surname="Benfield"/>
               <date month="June" year="2022"/>
            </front>
            <seriesInfo name="RFC" value="9113"/>
            <seriesInfo name="DOI" value="10.17487/RFC9113"/>
         </reference>
         <reference anchor="H3">
            <front>
               <title>HTTP/3</title>
               <author fullname="M. Bishop"
                        initials="M."
                        role="editor"
                        surname="Bishop"/>
               <date month="June" year="2022"/>
            </front>
            <seriesInfo name="RFC" value="9114"/>
            <seriesInfo name="DOI" value="10.17487/RFC9114"/>
         </reference>
         <reference anchor="QUIC-TLS">
            <front>
               <title>Using TLS to Secure QUIC</title>
               <author fullname="M. Thomson"
                        initials="M."
                        role="editor"
                        surname="Thomson"/>
               <author fullname="S. Turner"
                        initials="S."
                        role="editor"
                        surname="Turner"/>
               <date month="May" year="2021"/>
            </front>
            <seriesInfo name="RFC" value="9001"/>
            <seriesInfo name="DOI" value="10.17487/RFC9001"/>
         </reference>
         <reference anchor="ED25519">
            <front>
               <title>Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure</title>
               <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
               <author fullname="J. Schaad" initials="J." surname="Schaad"/>
               <date month="August" year="2018"/>
            </front>
            <seriesInfo name="RFC" value="8410"/>
            <seriesInfo name="DOI" value="10.17487/RFC8410"/>
         </reference>
         <reference anchor="SHA">
            <front>
               <title>US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)</title>
               <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/>
               <author fullname="T. Hansen" initials="T." surname="Hansen"/>
               <date month="May" year="2011"/>
            </front>
            <seriesInfo name="RFC" value="6234"/>
            <seriesInfo name="DOI" value="10.17487/RFC6234"/>
         </reference>
      </references>
      <?line 386?>
      <section anchor="acknowledgments" numbered="false">
         <name>Acknowledgments</name>
         <t>The authors would like to thank many members of the IETF community, as this document is the fruit of many hallway conversations. Ben Schwartz contributed ideas to this document.</t>
      </section>
   </back>
</rfc>
