Re: [apps-discuss] [saag] HTTP authentication: the next generation
Yoav Nir <ynir@checkpoint.com> Sat, 11 December 2010 23:14 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C6BDD3A6CF7; Sat, 11 Dec 2010 15:14:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.364
X-Spam-Level:
X-Spam-Status: No, score=-9.364 tagged_above=-999 required=5 tests=[AWL=1.235, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2a-6pFCQ27YO; Sat, 11 Dec 2010 15:14:20 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by core3.amsl.com (Postfix) with ESMTP id 94A583A6D09; Sat, 11 Dec 2010 15:14:19 -0800 (PST)
X-CheckPoint: {4D040629-0-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id oBBNFrmj001961; Sun, 12 Dec 2010 01:15:53 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Sun, 12 Dec 2010 01:15:52 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: websec <websec@ietf.org>, Peter Saint-Andre <stpeter@stpeter.im>
Date: Sun, 12 Dec 2010 01:15:51 +0200
Thread-Topic: [saag] HTTP authentication: the next generation
Thread-Index: AcuZiVq4ANG3mfypQUiHj/vOrV2Hpw==
Message-ID: <5C0D484C-682B-4B7B-B7EA-DFC78ADA3ED4@checkpoint.com>
References: <4D02AF81.6000907@stpeter.im> <p06240809c928635499e8@[10.20.30.150]> <ADDEC353-8DE6-408C-BC75-A50B795E2F6C@checkpoint.com>
In-Reply-To: <ADDEC353-8DE6-408C-BC75-A50B795E2F6C@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Sun, 12 Dec 2010 08:17:34 -0800
Cc: "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [saag] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Dec 2010 23:14:20 -0000
resending with less recipients... On Dec 12, 2010, at 1:10 AM, Yoav Nir wrote: > > On Dec 11, 2010, at 1:09 AM, Paul Hoffman wrote: > >> At 3:53 PM -0700 12/10/10, Peter Saint-Andre wrote: >>> Other than that, I'm not aware of much activity. What have I missed? >> >> TLS client certificates. > > TLS client certificates work, but as we've learned both with the web and with IPsec clients, people would much rather not use them. A few IETFs ago (Chicago?), a bunch of us tried to push the idea of TLS with EAP authentication. > > http://tools.ietf.org/html/draft-nir-tls-eap > > At the time, the TLS working group (and an AD) told us that this would contradict the applicability statement of EAP, so no, you cannot use EAP for anything other than network access. > > Now we have the abfab working group, so I don't think this still holds. > > Also, I agree with Marsh, that authentication is not enough, and you need the rest of TLS anyway. > > So yes, I think that it is time to resurrect HTTP authentication. > > Yoav > >
- Re: [apps-discuss] HTTP authentication: the next … Mark Nottingham
- [apps-discuss] HTTP authentication: the next gene… Peter Saint-Andre
- Re: [apps-discuss] [saag] HTTP authentication: th… Paul Hoffman
- Re: [apps-discuss] [kitten] HTTP authentication: … Nicolas Williams
- Re: [apps-discuss] [saag] HTTP authentication: th… Henry B. Hotz
- Re: [apps-discuss] [websec] HTTP authentication: … Marsh Ray
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Josh Howlett
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Alexey Melnikov
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Josh Howlett
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Luke Howard
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yaron Sheffer
- Re: [apps-discuss] [saag] HTTP authentication: th… Yoav Nir
- Re: [apps-discuss] [saag] HTTP authentication: th… Yoav Nir
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yoav Nir
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yoav Nir
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Alexey Melnikov
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Eliot Lear
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Roy T. Fielding
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Cridland
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Cridland
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Eliot Lear
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Carsten Bormann
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Eliot Lear
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Cridland
- Re: [apps-discuss] [websec] HTTP authentication: … Julian Reschke
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Adrien de Croy
- Re: [apps-discuss] [saag] [kitten] HTTP authentic… Alan DeKok
- Re: [apps-discuss] [websec] [saag] HTTP authentic… Ben Laurie
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Raggett
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Marsh Ray
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Tim Morgan
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Yaron Sheffer
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yoav Nir
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Yoav Nir
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Yoav Nir
- Re: [apps-discuss] [http-auth] [websec] [saag] [k… Henry B. Hotz
- Re: [apps-discuss] [http-auth] [websec] [saag] HT… Henry B. Hotz
- Re: [apps-discuss] [websec] [saag] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Nicolas Williams
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Nicolas Williams
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Steven Bellovin
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … John C Klensin
- Re: [apps-discuss] [http-auth] [websec] HTTP auth… Tim Morgan
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … John C Klensin
- Re: [apps-discuss] [saag] [kitten] HTTP authentic… Joel Jaeggli
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … der Mouse
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… der Mouse
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… Tim
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Adrien de Croy
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Nathan
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Adrien de Croy
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Josh Howlett
- Re: [apps-discuss] [websec] [saag] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Jeffrey Hutzelman
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Ben Laurie
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … David Morris
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Robert Sayre
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Tim
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [websec] [saag] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … der Mouse
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Blaine Cook
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Blaine Cook
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Blaine Cook
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Theodore Tso