Re: Straw-man charter for http-bis -- call for errata/clarifications to 2617

[Cyrus Daboo <cyrus@daboo.name>]

Hi Robert,

--On May 31, 2007 1:28:39 AM -0400 Robert Sayre <sayrer@gmail.com> wrote:

> My feeling is that the current schemes can be updated by documenting
> the internationalization behavior of popular implementations, but
> nothing else is worth doing.

I disagree. I think we need to go a lot further. My suggestion would be to 
throw away 2617 as-is, and instead do something more akin to the SASL 
document set, i.e. a "framework" document describing the general issues of 
http authentication that lays out the ground-work for the existing 
http-based auth schemes, plus documents other auth schemes in use 
(form-based, cookie-based etc). We then have separate documents for each of 
the http-based schemes basic and digest - and we should add Kerberos/SPNEGO 
to that too. Having those as separate documents will make updates in the 
future an easier process. If we want to document other types in more detail 
(as proposed or informational) that could be done too.

I would also like to see the "webmail" (proxying credentials though a 
web-app to some back end service) issue dealt with too - ideally with the 
Kerberos mechanism as a basis (and others too that make sense).

I think all that is a lot more work than just a quick rev of 2617. Given 
that it involves a lot of security there will be a need to have the direct 
participation of the Security area folks. They are less likely to be 
interested in the minutiae of 2616bis though. So I think separate working 
groups would be better because of the different cross-area participation 
requirements.

-- 
Cyrus Daboo