Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation

Blaine Cook <romeda@gmail.com> Sun, 09 January 2011 01:27 UTC

Return-Path: <romeda@gmail.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 878EC28C157; Sat, 8 Jan 2011 17:27:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.349
X-Spam-Level:
X-Spam-Status: No, score=-104.349 tagged_above=-999 required=5 tests=[AWL=-0.750, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1CHuczRPWZBj; Sat, 8 Jan 2011 17:27:43 -0800 (PST)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by core3.amsl.com (Postfix) with ESMTP id 716E728C0D8; Sat, 8 Jan 2011 17:27:42 -0800 (PST)
Received: by wwa36 with SMTP id 36so18596520wwa.13 for <multiple recipients>; Sat, 08 Jan 2011 17:29:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:content-type :content-transfer-encoding; bh=afxLGSrBPz4bvHwp6VG7sozjob/7t1YO0xeVPH7/4wU=; b=LAQdyT9SddL8nJPhVQM29j6ZoZWBU/E9RdL3dcQirexwAxBPozXDZ7R8vOxplF5rDX pFjcIvOVsoXraVaAoigoriOzby1Vb5bpOibBUZFxefgem0XrfG3Rn9ZgZZb3HPJCgqNi R8mjqJHHWIO0driOK5UwZbhB8m9IcGUiv4KRQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; b=W00D/vRaeMJ9JFN6mWMx9sDgFjHR+OAwMhDTnEtxnjcdIaIr5rkVlZ7DByNvMeDYzG 5/zSOQnpfLw3pRace51aLC/URn3bISpnzt4Im8calKLP9JFUc4/cInuXHJkc/AsqHLnA Cp3q0SjBiSJ/ix2U6AtTOIZ27Ltj1Pjqyu1Q0=
Received: by 10.216.142.101 with SMTP id h79mr26233429wej.49.1294536590896; Sat, 08 Jan 2011 17:29:50 -0800 (PST)
MIME-Version: 1.0
Received: by 10.216.240.197 with HTTP; Sat, 8 Jan 2011 17:29:29 -0800 (PST)
In-Reply-To: <20110108194952.GS12542@zedshaw>
References: <4D04D7D6.4090105@isode.com> <A23730A9-728B-4533-96D7-0B62496CC98A@checkpoint.com> <4D051731.1020400@isode.com> <2230EA03-32C5-4D34-BC6B-304E813BE3A7@gbiv.com> <AANLkTimWZz-uOQ3whayCgAzHRXJLWh7qYjiqW7h8-MK7@mail.gmail.com> <AANLkTik5wsudwLN=+KzvXoA4MStG2K72fA5giKd2NqGV@mail.gmail.com> <Pine.LNX.4.64.1101060802120.6107@egate.xpasc.com> <AANLkTi=zX+8fd7yZYsOprnJeu7L63GW9L_RzZfFZnH6e@mail.gmail.com> <AANLkTimL=VdmhWdk3Yi-P5gdiHOOd_JpcgFX_uvBo2=E@mail.gmail.com> <AANLkTi=GpV3O-8RaankHnV96JMNaE-R947rWJhoVO7LL@mail.gmail.com> <20110108194952.GS12542@zedshaw>
From: Blaine Cook <romeda@gmail.com>
Date: Sat, 08 Jan 2011 17:29:29 -0800
Message-ID: <AANLkTimXTAZO8N4LMsxn=SYe8fjx3wjyoQVvrp7dAgad@mail.gmail.com>
To: "Zed A. Shaw" <zedshaw@zedshaw.com>, Blaine Cook <romeda@gmail.com>, Phillip Hallam-Baker <hallam@gmail.com>, Ben Laurie <benl@google.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, David Morris <dwm@xpasc.com>, websec <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Sun, 09 Jan 2011 09:40:29 -0800
Subject: Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jan 2011 01:27:45 -0000

On 8 January 2011 11:49, Zed A. Shaw <zedshaw@zedshaw.com> wrote:
> On Sat, Jan 08, 2011 at 09:37:00AM -0800, Blaine Cook wrote:
> I don't normally respond, just being a lurker, but this statement is
> competely wrong Blaine.  OAuth may be used for more requests, but not
> more sites.  It's used on a tiny number of sites, with OpenID being used
> on way many more, and even then, not nowhere near the number of websites
> that form based authentication and browser authentication methods.
>
> Don't equate twitter having a ton of traffic to OAuth being some kind of
> raving success, and sure as hell don't evaluate the technical merits of
> something by its popularity.

Agreed - though, facebook is also using oauth-based (not 1.0, but
essentially the same approach) logins, and there are a number of other
sites that do provide oauth-based login infrastructure.

Moreover, the nudge towards oauth is intended with the movement
towards a new auth infrastructure in mind. We'd need some kind of
discovery / negotiation mechanism on top to make it not the
one-or-two-companies-own-the-web play that login-over-oauth is now.
(c.f. OpenID Connect).

b.

> While I agree that TLS client side isn't going to work, none of the
> proposed authentication methods will work without a change to browsers
> to support a way for two websites to establish a session in the browser.
> If that feature existed you would cut down on a lot of the complexity of
> things like OpenID and OAuth.

Again, agreed. ;-)

for the record, I don't think that OAuth itself is a suitable
replacement for HTTP authorisation, but wanted to stir the pot,
especially away from overwrought technical solutions that don't
actually solve anyone's needs.

b.