IETF Logo Mail Archive

Re: RFC2616 vs RFC2617, was: Straw-man charter for http-bis

lists@ingostruck.de Fri, 08 June 2007 12:25 UTC

Return-path: <discuss-bounces@apps.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HwdWq-0000SQ-AG; Fri, 08 Jun 2007 08:25:20 -0400
Received: from discuss by megatron.ietf.org with local (Exim 4.43) id 1HwQ5O-0002m3-JO for discuss-confirm+ok@megatron.ietf.org; Thu, 07 Jun 2007 18:04:06 -0400
Received: from discuss by megatron.ietf.org with local (Exim 4.43) id 1HwQ5O-0002lv-A7 for discuss@apps.ietf.org; Thu, 07 Jun 2007 18:04:06 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HwQ4i-0002fq-6W for discuss@apps.ietf.org; Thu, 07 Jun 2007 18:03:24 -0400
Received: from dsl.ingostruck.de ([85.183.48.31] helo=neo.rs) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1HwQ4g-0007zf-KN for discuss@apps.ietf.org; Thu, 07 Jun 2007 18:03:24 -0400
Received: (qmail 2185 invoked by uid 500); 7 Jun 2007 23:14:13 -0000
From: lists@ingostruck.de
To: Henrik Nordstrom <henrik@henriknordstrom.net>
Subject: Re: RFC2616 vs RFC2617, was: Straw-man charter for http-bis
Date: Thu, 7 Jun 2007 23:14:11 +0000
User-Agent: KMail/1.8.2
References: <BA772834-227A-4C1B-9534-070C50DF05B3@mnot.net> <6AE049B9045C00064222693F@[10.1.110.5]> <1181250794.24162.109.camel@henriknordstrom.net>
In-Reply-To: <1181250794.24162.109.camel@henriknordstrom.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-6"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200706072314.13575.lists@ingostruck.de>
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
X-TMDA-Confirmed: Thu, 07 Jun 2007 18:04:06 -0400
X-Mailman-Approved-At: Fri, 08 Jun 2007 08:25:18 -0400
Cc: Apps Discuss <discuss@apps.ietf.org>, Mark Nottingham <mnot@mnot.net>, Chris Newman <Chris.Newman@sun.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
X-BeenThere: discuss@apps.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: general discussion of application-layer protocols <discuss.apps.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=unsubscribe>
List-Post: <mailto:discuss@apps.ietf.org>
List-Help: <mailto:discuss-request@apps.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=subscribe>
Errors-To: discuss-bounces@apps.ietf.org

Henrik,

> There is imho three primary reasons why Digest has not gained much
> foothold, neither being security.
>
> a) Implementation rather complex, with few if any implementation getting
> it entirely right..
>
> b) It's inability to integrate well with existing authentication
> frameworks on the server side.
>
> c) UA integration, or web site owners requiring control over the login
> process beyond a standard "login+password" dialog.
I think that you got that perfectly right.
My opinion is, that a) could be improved by a strictly editorial revision
of RFC2617 while c) requires substantial revision of the contents.
I do not consider b) to be a problem of the spec but of the implementors.
For me it seems that the real obstacle for RFC2617's popularity is c). 

People just seem to insist on having their authentication procedure in the 
"look-and-feel" they want it to be and concrete-cast it into their
HTML/flash/whatever-content (even though that may seem to be a silly idea
from a usability point of view).

Maybe a solution just like rfc2388 could be suitable here.
Needed is a well-defined way to interact between the application
and the protocol -- the only difference here is, that the auth stuff
needs to interact with the HTTP header, while the form submission stuff
needed/needs to interact with the HTTP POST body.
I guess that a similar "bridge" could be a solution for the problem.

Of course that would need interaction with HTML, e.g. it would need
the introduction of 
<input type="authuser" /> together with <input type="authpass" />
or the like, which are defined to have their contents be passed on
to a well-defined HTTP-Auth scheme.

It could even be done without the need to (substantially) change the
HTML spec, e.g. by reserving special form element ids for that purpose,
lets say
<input type="text" id="authuser" />
<input type="password" id="authpass" />
or the like.

Having that said I would tend to use a double tracked approach:
- editorial revision of rfc2617 to make existing impls
  or new impls that have to interact with them happy
- simultaneously develop a "completely new" scheme that does
  not have the fundamental deficiency of being unable to interact
  with the "application layer"

Kind regards

Ingo Struck

v2.8.7 | Report a Bug | By Email