IETF Logo Mail Archive

Re: [apps-discuss] [saag] HTTP authentication: the next generation

Yoav Nir <ynir@checkpoint.com> Sat, 11 December 2010 23:08 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CB2943A6CC6; Sat, 11 Dec 2010 15:08:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.31
X-Spam-Level:
X-Spam-Status: No, score=-9.31 tagged_above=-999 required=5 tests=[AWL=1.289, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bNfpvjyZj955; Sat, 11 Dec 2010 15:08:57 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by core3.amsl.com (Postfix) with ESMTP id E78FF3A6CC3; Sat, 11 Dec 2010 15:08:53 -0800 (PST)
X-CheckPoint: {4D0404E3-0-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id oBBNAFio001572; Sun, 12 Dec 2010 01:10:15 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Sun, 12 Dec 2010 01:10:15 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, websec <websec@ietf.org>, Peter Saint-Andre <stpeter@stpeter.im>
Date: Sun, 12 Dec 2010 01:10:11 +0200
Thread-Topic: [saag] HTTP authentication: the next generation
Thread-Index: AcuZiJEeUrzxMlnURUmsuTqhB7a9Ww==
Message-ID: <ADDEC353-8DE6-408C-BC75-A50B795E2F6C@checkpoint.com>
References: <4D02AF81.6000907@stpeter.im> <p06240809c928635499e8@[10.20.30.150]>
In-Reply-To: <p06240809c928635499e8@[10.20.30.150]>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Sun, 12 Dec 2010 08:17:24 -0800
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, "pgut001@cs.auckland.ac.nz" <pgut001@cs.auckland.ac.nz>, "kitten@ietf.org" <kitten@ietf.org>, Yaron Sheffer <yaronf.ietf@gmail.com>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [saag] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Dec 2010 23:08:59 -0000

On Dec 11, 2010, at 1:09 AM, Paul Hoffman wrote:

> At 3:53 PM -0700 12/10/10, Peter Saint-Andre wrote:
>> Other than that, I'm not aware of much activity. What have I missed?
> 
> TLS client certificates.

TLS client certificates work, but as we've learned both with the web and with IPsec clients, people would much rather not use them. A few IETFs ago (Chicago?), a bunch of us tried to push the idea of TLS with EAP authentication.

http://tools.ietf.org/html/draft-nir-tls-eap

At the time, the TLS working group (and an AD) told us that this would contradict the applicability statement of EAP, so no, you cannot use EAP for anything other than network access. 

Now we have the abfab working group, so I don't think this still holds.

Also, I agree with Marsh, that authentication is not enough, and you need the rest of TLS anyway.

So yes, I think that it is time to resurrect HTTP authentication.

Yoav

v2.29.0 | Report a Bug | By Email | System Status