Re: [apps-discuss] HTTP authentication: the next generation

Mark Nottingham <> Fri, 10 December 2010 23:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1EDF328C171; Fri, 10 Dec 2010 15:04:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -104.583
X-Spam-Status: No, score=-104.583 tagged_above=-999 required=5 tests=[AWL=-1.984, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id O9qujG0fX4XH; Fri, 10 Dec 2010 15:04:35 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 9199D28C170; Fri, 10 Dec 2010 15:04:34 -0800 (PST)
Received: from (unknown []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id B455722E1EB; Fri, 10 Dec 2010 18:06:03 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Mark Nottingham <>
In-Reply-To: <>
Date: Sat, 11 Dec 2010 10:06:00 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Peter Saint-Andre <>
X-Mailer: Apple Mail (2.1082)
Cc: "" <>,, "" <>,,, " Group" <>
Subject: Re: [apps-discuss] HTTP authentication: the next generation
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 10 Dec 2010 23:04:36 -0000

There was a very well-attended and wide-ranging bar BoF in Vancouver, and lots of background discussion (/noise).

My impression at that point was that the use cases that people wanted to put into scope were so diverse, and the requirements so exacting, that it was a non-starter. 

That may still be the case, and I think that without a concrete target, starting the discussion again will ultimately just waste a lot of engineer hours*.

Having said that -- since we now have OAuth shaving off some of those use cases, it may be that a purely browsing-focused authentication mechanism might be able to get traction, provided we can get browser vendors on board (naturally). I'd expect them to instigate this, however.


* Waste, of course, is subjective. A cynical person would think that the opportunity cost of having a bunch of standards people working on something non-productive could, in the end, be a useful diversion. However, I'm not that person, because I'm not thinking it, I'm saying it. But I digress.

On 11/12/2010, at 9:53 AM, Peter Saint-Andre wrote:

> Is it time to start thinking about next-generation authentication
> technologies for HTTP?
> We all know that BASIC and DIGEST are ancient and crufty and lacking
> many features and security properties we might want, but there hasn't
> been much discussion about more modern approaches. Here are a few things
> I've found:
> 1. Way back in 2001, Keith Burdis wrote an I-D about upgrading to SASL
> within HTTP:
> 2. In 2007, Robert Sayre put together a few slides on the topic:
> 3. Yutaka Oiwa and his colleagues have been working on a protocol for
> mutual auth:
> Other than that, I'm not aware of much activity. What have I missed?
> Does it make sense to perhaps hold an exploratory BoF at the next IETF
> meeting (Prague, March 2011) to get people thinking about this topic?
> If you're interested, please discuss on the list:
> Thanks!
> Peter
> -- 
> Peter Saint-Andre
> _______________________________________________
> apps-discuss mailing list

Mark Nottingham