IETF Logo Mail Archive

Re: [apps-discuss] HTTP authentication: the next generation

Mark Nottingham <mnot@mnot.net> Fri, 10 December 2010 23:04 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1EDF328C171; Fri, 10 Dec 2010 15:04:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.583
X-Spam-Level:
X-Spam-Status: No, score=-104.583 tagged_above=-999 required=5 tests=[AWL=-1.984, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O9qujG0fX4XH; Fri, 10 Dec 2010 15:04:35 -0800 (PST)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by core3.amsl.com (Postfix) with ESMTP id 9199D28C170; Fri, 10 Dec 2010 15:04:34 -0800 (PST)
Received: from chancetrain-lm.mnot.net (unknown [118.209.2.20]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id B455722E1EB; Fri, 10 Dec 2010 18:06:03 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <4D02AF81.6000907@stpeter.im>
Date: Sat, 11 Dec 2010 10:06:00 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <52E9BD81-E64B-47DA-83FC-C820B15D8B18@mnot.net>
References: <4D02AF81.6000907@stpeter.im>
To: Peter Saint-Andre <stpeter@stpeter.im>
X-Mailer: Apple Mail (2.1082)
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, websec@ietf.org, "kitten@ietf.org" <kitten@ietf.org>, http-auth@ietf.org, saag@ietf.org, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 23:04:36 -0000

There was a very well-attended and wide-ranging bar BoF in Vancouver, and lots of background discussion (/noise).

My impression at that point was that the use cases that people wanted to put into scope were so diverse, and the requirements so exacting, that it was a non-starter. 

That may still be the case, and I think that without a concrete target, starting the discussion again will ultimately just waste a lot of engineer hours*.

Having said that -- since we now have OAuth shaving off some of those use cases, it may be that a purely browsing-focused authentication mechanism might be able to get traction, provided we can get browser vendors on board (naturally). I'd expect them to instigate this, however.

Cheers,

* Waste, of course, is subjective. A cynical person would think that the opportunity cost of having a bunch of standards people working on something non-productive could, in the end, be a useful diversion. However, I'm not that person, because I'm not thinking it, I'm saying it. But I digress.



On 11/12/2010, at 9:53 AM, Peter Saint-Andre wrote:

> Is it time to start thinking about next-generation authentication
> technologies for HTTP?
> 
> We all know that BASIC and DIGEST are ancient and crufty and lacking
> many features and security properties we might want, but there hasn't
> been much discussion about more modern approaches. Here are a few things
> I've found:
> 
> 1. Way back in 2001, Keith Burdis wrote an I-D about upgrading to SASL
> within HTTP: http://tools.ietf.org/id/draft-burdis-http-sasl-00.txt
> 
> 2. In 2007, Robert Sayre put together a few slides on the topic:
> http://people.mozilla.com/~sayrer/2007/auth.html
> 
> 3. Yutaka Oiwa and his colleagues have been working on a protocol for
> mutual auth: http://tools.ietf.org/html/draft-oiwa-http-mutualauth-08
> 
> Other than that, I'm not aware of much activity. What have I missed?
> Does it make sense to perhaps hold an exploratory BoF at the next IETF
> meeting (Prague, March 2011) to get people thinking about this topic?
> 
> If you're interested, please discuss on the http-auth@ietf.org list:
> 
> https://www.ietf.org/mailman/listinfo/http-auth
> 
> Thanks!
> 
> Peter
> 
> -- 
> Peter Saint-Andre
> https://stpeter.im/
> 
> 
> 
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss

--
Mark Nottingham   http://www.mnot.net/

v2.23.0 | Report a Bug | By Email