[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-dev
Subject: Requesting feedback - RFC5878
From: Scott Deboy <sdeboy () secondstryke ! com>
Date: 2013-05-16 22:45:15
Message-ID: 7571FF70-5B62-42DC-B899-9BA6A37F3831 () secondstryke ! com
[Download RAW message or body]
I'm re-implementing support for RFC5878 (TLS authorization extensions) in OpenSSL and \
subsequently mod_ssl.
I am working on contributing back the OpenSSL changes and would like to contribute \
back the mod_ssl changes.
A little RFC5878 background: Client sends a TLS extension representing the auth \
format(s) it supports. If the server supports the auth format(s), it sends back the \
same TLS extension. If either side needs to send data, the data is sent in the \
supplemental data message. Apps may choose to do this only during renegotiation.
I have working versions of OpenSSL and mod_ssl which exercise RFC5878 with DTCP-based \
authorization - a new RFC is in-progress to support DTCP-based authorization in \
RFC5878. The current only implements support for DTCP-based authorization - it \
doesn't provide support for the AuthzDataFormats defined in RFC5878. Hhowever, the \
OpenSSL API doesn't change, and implementing mod_ssl support for the other \
AuthzDataFormats should be straightforward.
DTCP-based authorization requires the server to send supplemental data, and the \
client to send supplemental data back to the server. At that point, the server sets \
a DTCP_VALIDATION_SUCCESSFUL variable so that CGI scripts know authorization was \
successful.
I've filed https://issues.apache.org/bugzilla/show_bug.cgi?id=54987 with details and \
links to the OpenSSL and mod_ssl changes, requesting feedback on the current \
implementation.
Any comments/suggestions appreciated.
I understand it may make sense to hold off on accepting this contribution until the \
OpenSSL contribution has been accepted and the DTCP RFC is complete, but I thought I \
would solicit feedback now, as those other processes are in-progress now.
Thanks much,
Scott
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic