[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    Requesting feedback - RFC5878
From:       Scott Deboy <sdeboy () secondstryke ! com>
Date:       2013-05-16 22:45:15
Message-ID: 7571FF70-5B62-42DC-B899-9BA6A37F3831 () secondstryke ! com
[Download RAW message or body]

I'm re-implementing support for RFC5878 (TLS authorization extensions) in OpenSSL and \
subsequently mod_ssl.

I am working on contributing back the OpenSSL changes and would like to contribute \
back the mod_ssl changes.

A little RFC5878 background: Client sends a TLS extension representing the auth \
format(s) it supports.  If the server supports the auth format(s), it sends back the \
same TLS extension.  If either side needs to send data, the data is sent in the \
supplemental data message.  Apps may choose to do this only during renegotiation.

I have working versions of OpenSSL and mod_ssl which exercise RFC5878 with DTCP-based \
authorization - a new RFC is in-progress to support DTCP-based authorization in \
RFC5878.  The current only implements support for DTCP-based authorization - it \
doesn't provide support for the AuthzDataFormats defined in RFC5878.  Hhowever, the \
OpenSSL API doesn't change, and implementing mod_ssl support for the other \
AuthzDataFormats should be straightforward.

DTCP-based authorization requires the server to send supplemental data, and the \
client to send supplemental data back to the server.  At that point, the server sets \
a DTCP_VALIDATION_SUCCESSFUL variable so that CGI scripts know authorization was \
successful.

I've filed https://issues.apache.org/bugzilla/show_bug.cgi?id=54987 with details and \
links to the OpenSSL and mod_ssl changes, requesting feedback on the current \
implementation.

Any comments/suggestions appreciated.

I understand it may make sense to hold off on accepting this contribution until the \
OpenSSL contribution has been accepted and the DTCP RFC is complete, but I thought I \
would solicit feedback now, as those other processes are in-progress now.

Thanks much,

Scott


[prev in list] [next in list] [prev in thread] [next in thread]