IETF Logo Mail Archive

Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation

Ben Laurie <benl@google.com> Sun, 09 January 2011 13:42 UTC

Return-Path: <benl@google.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 142683A69B1 for <apps-discuss@core3.amsl.com>; Sun, 9 Jan 2011 05:42:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.406
X-Spam-Level:
X-Spam-Status: No, score=-104.406 tagged_above=-999 required=5 tests=[AWL=-1.429, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xOv0mL9Z7Gn9 for <apps-discuss@core3.amsl.com>; Sun, 9 Jan 2011 05:42:04 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 1505D3A69A6 for <apps-discuss@ietf.org>; Sun, 9 Jan 2011 05:42:03 -0800 (PST)
Received: from kpbe18.cbf.corp.google.com (kpbe18.cbf.corp.google.com [172.25.105.82]) by smtp-out.google.com with ESMTP id p09DiE4N019411 for <apps-discuss@ietf.org>; Sun, 9 Jan 2011 05:44:14 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1294580654; bh=/mk8a9m6BHBI1j9A8YYpAAJT3g0=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=rBd7e5LDKWOIj5qUWv3wG0oA2pnQGelokPC4sYnssr7Zzj8vz/Z6UYrf25BqbH1/I wOBB+UrZDr/XjglaTzg2Q==
Received: from vws5 (vws5.prod.google.com [10.241.21.133]) by kpbe18.cbf.corp.google.com with ESMTP id p09DiCso015979 for <apps-discuss@ietf.org>; Sun, 9 Jan 2011 05:44:12 -0800
Received: by vws5 with SMTP id 5so7521623vws.22 for <apps-discuss@ietf.org>; Sun, 09 Jan 2011 05:44:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=ZRWqqE2GC4FvKBmajUqrY7ravsT74mc/cg/K4kzh7cM=; b=GcGbegD1O4aILaEJyw/n4kMpuLQjeb5LMacygSf0Zp49ph4nEnffspaTdOBCTWDX8Y A1EW0TKeMxpuyF7lmcZg==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=WX+kK4B4G3HeErl5S2/G/I1bA3Ykj3FXsZiU9f1dd+V96cJhNoRJYYontlCDmNFKW/ qNFiploG2G8enySMzZHg==
MIME-Version: 1.0
Received: by 10.220.202.131 with SMTP id fe3mr8379018vcb.183.1294580652479; Sun, 09 Jan 2011 05:44:12 -0800 (PST)
Received: by 10.220.88.137 with HTTP; Sun, 9 Jan 2011 05:44:12 -0800 (PST)
In-Reply-To: <AANLkTimXTAZO8N4LMsxn=SYe8fjx3wjyoQVvrp7dAgad@mail.gmail.com>
References: <4D04D7D6.4090105@isode.com> <A23730A9-728B-4533-96D7-0B62496CC98A@checkpoint.com> <4D051731.1020400@isode.com> <2230EA03-32C5-4D34-BC6B-304E813BE3A7@gbiv.com> <AANLkTimWZz-uOQ3whayCgAzHRXJLWh7qYjiqW7h8-MK7@mail.gmail.com> <AANLkTik5wsudwLN=+KzvXoA4MStG2K72fA5giKd2NqGV@mail.gmail.com> <Pine.LNX.4.64.1101060802120.6107@egate.xpasc.com> <AANLkTi=zX+8fd7yZYsOprnJeu7L63GW9L_RzZfFZnH6e@mail.gmail.com> <AANLkTimL=VdmhWdk3Yi-P5gdiHOOd_JpcgFX_uvBo2=E@mail.gmail.com> <AANLkTi=GpV3O-8RaankHnV96JMNaE-R947rWJhoVO7LL@mail.gmail.com> <20110108194952.GS12542@zedshaw> <AANLkTimXTAZO8N4LMsxn=SYe8fjx3wjyoQVvrp7dAgad@mail.gmail.com>
Date: Sun, 09 Jan 2011 13:44:12 +0000
Message-ID: <AANLkTimFT5Ugss2_pGST0syiM1ByA_pKgmVodYwXF0qY@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Blaine Cook <romeda@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
X-Mailman-Approved-At: Sun, 09 Jan 2011 09:40:07 -0800
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, David Morris <dwm@xpasc.com>, websec <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "Zed A. Shaw" <zedshaw@zedshaw.com>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, Phillip Hallam-Baker <hallam@gmail.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jan 2011 13:42:05 -0000

On 9 January 2011 01:29, Blaine Cook <romeda@gmail.com> wrote:
> On 8 January 2011 11:49, Zed A. Shaw <zedshaw@zedshaw.com> wrote:
>> On Sat, Jan 08, 2011 at 09:37:00AM -0800, Blaine Cook wrote:
>> I don't normally respond, just being a lurker, but this statement is
>> competely wrong Blaine.  OAuth may be used for more requests, but not
>> more sites.  It's used on a tiny number of sites, with OpenID being used
>> on way many more, and even then, not nowhere near the number of websites
>> that form based authentication and browser authentication methods.
>>
>> Don't equate twitter having a ton of traffic to OAuth being some kind of
>> raving success, and sure as hell don't evaluate the technical merits of
>> something by its popularity.
>
> Agreed - though, facebook is also using oauth-based (not 1.0, but
> essentially the same approach) logins, and there are a number of other
> sites that do provide oauth-based login infrastructure.
>
> Moreover, the nudge towards oauth is intended with the movement
> towards a new auth infrastructure in mind. We'd need some kind of
> discovery / negotiation mechanism on top to make it not the
> one-or-two-companies-own-the-web play that login-over-oauth is now.
> (c.f. OpenID Connect).
>
> b.
>
>> While I agree that TLS client side isn't going to work, none of the
>> proposed authentication methods will work without a change to browsers
>> to support a way for two websites to establish a session in the browser.
>> If that feature existed you would cut down on a lot of the complexity of
>> things like OpenID and OAuth.
>
> Again, agreed. ;-)
>
> for the record, I don't think that OAuth itself is a suitable
> replacement for HTTP authorisation, but wanted to stir the pot,
> especially away from overwrought technical solutions that don't
> actually solve anyone's needs.

Towards ones that are ripe for phishing and have no privacy
protections? I don't believe that's a good direction.

v2.23.0 | Report a Bug | By Email