Re: [apps-discuss] [http-auth] [websec] [saag] HTTP authentication: the next generation

"Henry B. Hotz" <> Mon, 13 December 2010 23:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2B3B028C0D8; Mon, 13 Dec 2010 15:02:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NaTpeSJZroRq; Mon, 13 Dec 2010 15:02:08 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D13563A6E1A; Mon, 13 Dec 2010 15:02:08 -0800 (PST)
Received: from ( []) (authenticated (0 bits)) by (Switch-3.4.3/Switch-3.4.3) with ESMTP id oBDN3T2I012748 (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits) verified NO); Mon, 13 Dec 2010 15:03:30 -0800
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
From: "Henry B. Hotz" <>
In-Reply-To: <>
Date: Mon, 13 Dec 2010 15:03:29 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <p06240809c928635499e8@> <> <>
To: Ben Laurie <>
X-Mailer: Apple Mail (2.1081)
X-Source-IP: []
X-AUTH: Authorized
X-Mailman-Approved-At: Tue, 14 Dec 2010 08:58:03 -0800
Cc: "" <>, "" <>, Yoav Nir <>, websec <>, Paul Hoffman <>, "" <>, Yaron Sheffer <>, "" <>, "" <>, Hannes Tschofenig <>, " Group" <>
Subject: Re: [apps-discuss] [http-auth] [websec] [saag] HTTP authentication: the next generation
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Dec 2010 23:02:10 -0000

On Dec 13, 2010, at 4:08 AM, Ben Laurie wrote:

> On 11 December 2010 23:10, Yoav Nir <> wrote:
>> TLS client certificates work, but as we've learned both with the web and with IPsec clients, people would much rather not use them. A few IETFs ago (Chicago?), a bunch of us tried to push the idea of TLS with EAP authentication.
> I think what we've learnt is that we need to provide good UI and
> portability if we want people to use them.

I think it's a "complete system" problem.

You need a decent UI paradigm (not just a GUI), a respectable means of issuing/deploying them, a respectable means of storing them for use by multiple applications, and APIs and hooks that make them as easy to develop with as cookies.  Also all the capability needs to already be in place, so there's no "plug-in installation" or equivalent.

By "respectable" I mean something a security expert won't laugh at, which doesn't also violate the UI paradigm.

For all the people who say that we don't have to have perfect security, or we need to support http:, not just https:, I respectfully claim that you're off base.  We don't need *more* less-than-secure mechanisms.  We need actually-secure mechanisms that real people can actually use.

TLS with client certs qualifies as "actually-secure" (as would TLS with draft-williams..sasl..04).  Wouldn't we be better off putting our energy into making it actually-usable, than in starting from scratch?
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government., or