Re: [apps-discuss] [kitten] HTTP authentication: the next generation

Nicolas Williams <Nicolas.Williams@oracle.com> Sat, 11 December 2010 05:20 UTC

Return-Path: <Nicolas.Williams@oracle.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4ED453A6CD6; Fri, 10 Dec 2010 21:20:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.536
X-Spam-Level:
X-Spam-Status: No, score=-6.536 tagged_above=-999 required=5 tests=[AWL=0.062, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IOl0oREfL3jB; Fri, 10 Dec 2010 21:20:34 -0800 (PST)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 342833A6CD4; Fri, 10 Dec 2010 21:20:34 -0800 (PST)
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id oBB5M48l019515 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 11 Dec 2010 05:22:05 GMT
Received: from acsmt354.oracle.com (acsmt354.oracle.com [141.146.40.154]) by rcsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id oBB5M31Y020970; Sat, 11 Dec 2010 05:22:03 GMT
Received: from abhmt012.oracle.com by acsmt353.oracle.com with ESMTP id 845443701292044884; Fri, 10 Dec 2010 21:21:24 -0800
Received: from oracle.com (/10.135.193.24) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 10 Dec 2010 21:21:23 -0800
Date: Fri, 10 Dec 2010 23:21:18 -0600
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Message-ID: <20101211052117.GA29086@oracle.com>
References: <4D02AF81.6000907@stpeter.im>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4D02AF81.6000907@stpeter.im>
User-Agent: Mutt/1.5.20 (2010-03-02)
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, websec@ietf.org, "kitten@ietf.org" <kitten@ietf.org>, http-auth@ietf.org, saag@ietf.org, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [kitten] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Dec 2010 05:20:35 -0000

On Fri, Dec 10, 2010 at 03:53:53PM -0700, Peter Saint-Andre wrote:
> Is it time to start thinking about next-generation authentication
> technologies for HTTP?
> 
> We all know that BASIC and DIGEST are ancient and crufty and lacking
> many features and security properties we might want, but there hasn't
> been much discussion about more modern approaches. Here are a few things
> I've found:
> 
> 1. Way back in 2001, Keith Burdis wrote an I-D about upgrading to SASL
> within HTTP: http://tools.ietf.org/id/draft-burdis-http-sasl-00.txt

I have this:

draft-williams-tls-app-sasl-opt-04.txt

which could easily be made usable from HTTP.

> If you're interested, please discuss on the http-auth@ietf.org list:
> 
> https://www.ietf.org/mailman/listinfo/http-auth

One more list...  :)

Nico
--