Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP: Peer ID Authentication #564

Open
wants to merge 6 commits into
base: http
Choose a base branch
from
Open

HTTP: Peer ID Authentication #564

wants to merge 6 commits into from

Conversation

MarcoPolo
Copy link
Contributor

I've removed the peer id authentication scheme from the core spec of #508 for a couple reasons:

  1. Auth is optional, the MVP may not include it.
  2. This needs a bit more discussion since this is the first time we are doing a peer id auth scheme that relies on web PKI.
  3. I've also changed the auth scheme to not use Noise because we didn't get as much code reuse as I was hoping for and I think it adds unnecessary complexity to this. It's now a more traditional challenge-response scheme similar to SSH auth and WebAuthn and the first version of this auth.

On 2, this is the first time we are doing a peer id auth scheme that relies on web PKI, and thus has slightly different security properties than what we've done in the past. Instead of tying a peer id to an underlying encrypted channel we are tying it to a domain name. If the client can't trust the domain name (e.g. has enterprise root CAs installed) then their connection can be mitmd. In practice I don't think this is a serious concern because:

  • If a 3rd party has installed root CAs on a client, they probably also have root on the client. Thus they don't have to mitm, since they own the client.
  • If web PKI breaks, it will be very obvious since many other things will break. Libp2p users will still be able to use a different authentication scheme.

@MarcoPolo MarcoPolo mentioned this pull request Aug 2, 2023
Merged
marten-seemann
marten-seemann reviewed Aug 3, 2023
View reviewed changes
http/peer-id-auth.md Outdated Show resolved Hide resolved
http/peer-id-auth.md Outdated

1. The server initiates the authentication by responding to a request that must
be authenticated with the response header `WWW-Authenticate: Libp2p-Challenge
challenge="<base64-encoded-challenge>, Libp2p-Challenge-Server-Only"`. The
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use structured fields here, or is this one of the legacy fields where retrofitting sf was too difficult?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it's one of those legacy fields unfortunately. I did a version with sfv, but it was a bit too awkward.

http/peer-id-auth.md Show resolved Hide resolved
http/peer-id-auth.md Show resolved Hide resolved
thomaseizinger
thomaseizinger reviewed Aug 3, 2023
View reviewed changes
Copy link
Contributor

@thomaseizinger thomaseizinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Marco!

A few thoughts. I think we could split this into two flows: Libp2p-Challenge-Client and Libp2p-Challenge-Server and specify that they can be combined as necessary or used standalone.

http/peer-id-auth.md Show resolved Hide resolved
http/peer-id-auth.md Show resolved Hide resolved
http/peer-id-auth.md Outdated Show resolved Hide resolved
http/peer-id-auth.md Outdated Show resolved Hide resolved
http/peer-id-auth.md Show resolved Hide resolved
http/peer-id-auth.md Outdated Show resolved Hide resolved
http/peer-id-auth.md Outdated Show resolved Hide resolved
http/peer-id-auth.md Outdated Show resolved Hide resolved
@MarcoPolo
Copy link
Contributor Author

I've update the spec with a couple changes:

  • A single auth scheme with parameters to control who is authenticated. This allows for mutual, client only, and server only auth.
  • Change the wording to allow for using a server-encrypted value as the challenge-client value.

thomaseizinger
thomaseizinger approved these changes Aug 8, 2023
View reviewed changes
Copy link
Contributor

@thomaseizinger thomaseizinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work! I've made a few more comments but this looks sound from my end :)

http/peer-id-auth.md Outdated Show resolved Hide resolved
http/peer-id-auth.md Outdated Show resolved Hide resolved
http/peer-id-auth.md Outdated Show resolved Hide resolved
http/peer-id-auth.md Show resolved Hide resolved
This was referenced Aug 9, 2023
Closed
Open
@MarcoPolo MarcoPolo mentioned this pull request Mar 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marten-seemann marten-seemann marten-seemann left review comments

@thomaseizinger thomaseizinger thomaseizinger approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@MarcoPolo @marten-seemann @thomaseizinger