IETF Logo Mail Archive

Re: [apps-discuss] [websec] HTTP authentication: the next generation

Julian Reschke <julian.reschke@gmx.de> Mon, 13 December 2010 15:44 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8D06C28C0E2 for <apps-discuss@core3.amsl.com>; Mon, 13 Dec 2010 07:44:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.842
X-Spam-Level:
X-Spam-Status: No, score=-104.842 tagged_above=-999 required=5 tests=[AWL=-2.243, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jOI8T47bhd5V for <apps-discuss@core3.amsl.com>; Mon, 13 Dec 2010 07:44:27 -0800 (PST)
Received: from mail.gmx.net (mailout-de.gmx.net [213.165.64.23]) by core3.amsl.com (Postfix) with SMTP id E58D528C0F4 for <apps-discuss@ietf.org>; Mon, 13 Dec 2010 07:44:26 -0800 (PST)
Received: (qmail invoked by alias); 13 Dec 2010 15:39:23 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.133]) [217.91.35.233] by mail.gmx.net (mp013) with SMTP; 13 Dec 2010 16:39:23 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18UHbgtRrAUjdGBQU5gg4BvM7LRRZTDqhBbrFmn67 sCLQ8sxb3b/4dZ
Message-ID: <4D063E2A.3010108@gmx.de>
Date: Mon, 13 Dec 2010 16:39:22 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: Peter Saint-Andre <stpeter@stpeter.im>
References: <4D02AF81.6000907@stpeter.im>
In-Reply-To: <4D02AF81.6000907@stpeter.im>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, websec@ietf.org, "kitten@ietf.org" <kitten@ietf.org>, http-auth@ietf.org, saag@ietf.org, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [websec] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Dec 2010 15:44:27 -0000

On 10.12.2010 23:53, Peter Saint-Andre wrote:
> Is it time to start thinking about next-generation authentication
> technologies for HTTP?
>
> We all know that BASIC and DIGEST are ancient and crufty and lacking
> many features and security properties we might want, but there hasn't
> been much discussion about more modern approaches. Here are a few things
> I've found:
> ...

Probably. But while doing so, we need to look at the existing base as well.

HTTPbis now includes the HTTP authentication framework (essentially 
RFC2617 minus Basic and Digest). The HTTPbis WG is interested on 
feedback on the remaining issues (such as Realm required?, and 
considerations for new schemes).

Also, I believe Basic is not going to go away, and I'd really like to 
fix its I18N problem. Proposal here: 
<http://greenbytes.de/tech/webdav/draft-reschke-basicauth-enc-01.html>.

Best regards, Julian

v2.23.0 | Report a Bug | By Email