Re: [apps-discuss] [websec] [saag] [kitten] HTTP authentication: the next generation

Marsh Ray <marsh@extendedsubset.com> Thu, 06 January 2011 19:49 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 25C8F3A6F34; Thu, 6 Jan 2011 11:49:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.577
X-Spam-Level:
X-Spam-Status: No, score=-2.577 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5IsN4qZgy7XQ; Thu, 6 Jan 2011 11:49:50 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 601543A6D06; Thu, 6 Jan 2011 11:49:50 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.72) (envelope-from <marsh@extendedsubset.com>) id 1PavsL-0007lR-0x; Thu, 06 Jan 2011 19:51:57 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 7DDDC603D; Thu, 6 Jan 2011 19:51:54 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19YqhOZiaovwLDZ2QqifW+U3NXa/nAN2Ec=
Message-ID: <4D261D59.9010405@extendedsubset.com>
Date: Thu, 06 Jan 2011 13:51:53 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7
MIME-Version: 1.0
To: der Mouse <mouse@Rodents-Montreal.ORG>
References: <4D02AF81.6000907@stpeter.im> <p06240809c928635499e8@10.20.30.150> <ADDEC353-8DE6-408C-BC75-A50B795E2F6C@checkpoint.com> <78BD0B98-0F20-478B-85F1-DBB45691EB0D@padl.com> <4D0479E3.4050508@gmail.com> <4D04D7D6.4090105@isode.com> <A23730A9-728B-4533-96D7-0B62496CC98A@checkpoint.com> <4D051731.1020400@isode.com> <4D054041.7010203@cisco.com> <0435D11C-DF55-464D-B23F-F5D114DEE2C3@checkpoint.com> <2229.1292235952.971571@puncture> <4D05FB8F.3070804@qbik.com> <2229.1292239384.281779@puncture> <96517E19-5DC7-47A0-8C21-C710F6F8F772@tzi.org> <2229.1292253372.639419@puncture> <AANLkTi=iGWnBtOgPhN9tRtaJTxQhvRkjq3p0UCkRdT8=@mail.gmail.com> <4D0DE882.50201@qbik.com> <AANLkTi=oscrJbRM2coa1+bZFB6W8t5vKcmEMGpDPvrf9@mail.gmail.com> <4D0E8148.7060607@extendedsubset.com> <201101061835.NAA23900@Sparkle.Rodents-Montreal.ORG>
In-Reply-To: <201101061835.NAA23900@Sparkle.Rodents-Montreal.ORG>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Fri, 07 Jan 2011 11:38:54 -0800
Cc: apps-discuss@ietf.org, websec@ietf.org, kitten@ietf.org, http-auth@ietf.org, saag@ietf.org, ietf-http-wg@w3.org
Subject: Re: [apps-discuss] [websec] [saag] [kitten] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jan 2011 19:49:54 -0000

On 01/06/2011 12:35 PM, der Mouse wrote:
>> Look back far enough and you'll find all kinds of "electronic mail"
>> services implementing the full range of peer and end user
>> authentication, and sender-pays models.  There was no spam on those
>> systems, or at least not enough that anyone felt like they needed a
>> word for it.
>
> There was basically no spam on open-Internet SMTP mail either, at the
> time.  Certainly "no spam" by today's standards.
>
>> Guess why we use the one we use today.
>
> At the time, the services you deride weren't providing a significant
> value-add.

I wasn't so much deriding them but saying there were points all over the 
trade-off curve and the market voted with its feet. Unambiguously.

Of course, the marketing creeps followed.

> Today?  They would be.  Perhaps not enough to make up for their costs;
> probably not, in fact, or there'd be businesses arising in that space.

There are plenty. It's a commoditized low-margin business these days. 
But the network infrastructure costs are not nearly the biggest cost 
once you factor in things like end-user support.
E.g. http://www.google.com/search?q=hosted+vpn

It occurred to me last night that one might recreate the good old days 
of the Internet with a VPN which allowed access to the good old folks 
who were on it back then. Sounds a little crass and elitist now that I 
propose it out loud.

But imagine a global authenticated VPN where the only reason you could 
be banned is for spamming? Or one where you had to be at a university CS 
department? Or a whole set of overlapping criteria and you could choose 
what the membership criteria for your own view of the network?

Your own personal Virtual Public Internet.

> As a side note, it's interesting to see how well the early Internet
> designers built; their systems are routinely being stressed several
> orders of magnitude beyond what they were designed for, and are holding
> up remarkably well.

It is amazing, isn't it?

> The postal system did collapse when it started
> suffering from spam; that's why the paper chain mail is actually
> illegal in many jurisdictions - it took down the postal system, once
> upon a time.

Nice.

> The telphone system would collapse if phone spam
> outnumbered real calls by 10, 25, 100 to 1.  (Actually, in a sense they
> already do.  I have a fax line set up, and get dozens of fax spams for
> every real fax.  I've had to start adapting and applying my email spam
> fighting techniques there....)

We get so many unsolicited calls from telemarketers and robot dialers at 
home we don't answer the phone unless we recognize the caller ID. 
Sometimes family calling from roaming cell phones show up as 
'unidentified caller' and we mistakenly don't answer. How much more 
broken can it be?

- Marsh