Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation

Robert Sayre <> Thu, 06 January 2011 01:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CB5A13A6E4C; Wed, 5 Jan 2011 17:26:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.999
X-Spam-Status: No, score=-4.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, GB_I_LETTER=-2, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kfd7k09rhiTF; Wed, 5 Jan 2011 17:26:07 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 1C1AE3A6DD2; Wed, 5 Jan 2011 17:26:03 -0800 (PST)
Received: by gxk28 with SMTP id 28so7425497gxk.31 for <multiple recipients>; Wed, 05 Jan 2011 17:28:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=SmSGVsL3s1/e2mEs3LupI5w3onGShvZ4UtUrWrsZAvc=; b=oqDjO5l9OasDvMqhtSRG5lBW5ly/sZVMnAjtawLZzAl/3BcHvbwgxm2A7LZBaVcfMN a9KveWQYf85Hokfz/WOSIeHFo5vugc3VUbSZ4nX7FUN/VFYr034yQl2lg0qKaJj1Dl2p 0X6JN5ZqZ8eGZJ643GK1sl/rs515U1g7olm48=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=MrgU77VixIxQZ2qTzxT40ypYmHsE2NSX6bk0ijTIlvi7TaDvo2k6K4qaw7P0+/hZSX clJhXNhTjD8ISKOAGHVBWw9YYGd3FJ6Qdm2ZMA4Z4qpL51b+FZmDyeKAjVv6EA5Y0kvH Vt1pSfmVsKKdhYbvPCUzUw5ewnPuywqbjy6UQ=
MIME-Version: 1.0
Received: by with SMTP id 7mr1387636agd.100.1294277289574; Wed, 05 Jan 2011 17:28:09 -0800 (PST)
Received: by with HTTP; Wed, 5 Jan 2011 17:28:08 -0800 (PST)
In-Reply-To: <>
References: <> <p06240809c928635499e8@> <> <> <> <> <> <> <>
Date: Wed, 05 Jan 2011 20:28:08 -0500
Message-ID: <>
From: Robert Sayre <>
To: "Roy T. Fielding" <>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Thu, 06 Jan 2011 08:36:24 -0800
Cc: "" <>, Yoav Nir <>, websec <>, "" <>, "" <>, "" <>, " Group" <>
Subject: Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Jan 2011 01:26:08 -0000

> Peter Saint-Andre <> wrote:
> 2. In 2007, Robert Sayre put together a few slides on the topic:

These are back on the Web, in case anyone missed them (probably not).

On Sun, Dec 12, 2010 at 5:39 PM, Roy T. Fielding <> wrote:
> Define them all and let's have a bake-off.  It has been 16 years since
> HTTP auth was taken out of our hands so that the security experts could
> define something perfect.  Zero progress so far.

Hard to disagree with this assessment.

It's pretty easy to define something better than the current HTTP
authentication mechanisms, but pretty hard to design something more
popular than forms+cookies.

I've looked at this problem a little bit, and I gather the strictly
technical security properties we're looking for are pretty well
understood. Deployment and presentation control are the tough parts.
Presentation control is actually a security trade-off--to get the
control web designers want, you have to present graphics before the
server has been authenticated. Also, I suspect it will be difficult to
deploy a new HTTP mechanism that can withstand replay and DoS attacks,
unless proxy conformance gets a lot better. So, I think those
advocating TLS-only solutions might turn out to win the day, but not
because the security properties on offer are particularly compelling.

I think the IETF might do better to focus on a smaller problem, at
first. People often use self-signed certificates with HTTP/TLS, even
though the first thing their websites ask the user to do is type a
username and password into a form. There are some well-understood ways
to make this process more secure. Why hasn't the IETF fixed this
problem? If this smaller problem has no ready solution, then the
larger issue of authentication on the entire Web seems like a tough
nut to crack.

It could be that the reasons for this lack of progress are
nontechnical. Just throwing that out there.


Robert Sayre

"I would have written a shorter letter, but I did not have the time."