IETF Logo Mail Archive

Re: RFC2616 vs RFC2617, was: Straw-man charter for http-bis

"tom.petch" <cfinss@dial.pipex.com> Thu, 14 June 2007 11:01 UTC

Return-path: <discuss-bounces@apps.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hyn5I-00035F-Bq; Thu, 14 Jun 2007 07:01:48 -0400
Received: from discuss by megatron.ietf.org with local (Exim 4.43) id 1Hyn5G-000355-P7 for discuss-confirm+ok@megatron.ietf.org; Thu, 14 Jun 2007 07:01:46 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hyn5G-00034x-Fh for discuss@apps.ietf.org; Thu, 14 Jun 2007 07:01:46 -0400
Received: from galaxy.systems.pipex.net ([62.241.162.31]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Hyn5F-0008PB-3W for discuss@apps.ietf.org; Thu, 14 Jun 2007 07:01:46 -0400
Received: from pc6 (1Cust10.tnt2.lnd4.gbr.da.uu.net [62.188.131.10]) by galaxy.systems.pipex.net (Postfix) with SMTP id CB93DE000B5B; Thu, 14 Jun 2007 12:01:37 +0100 (BST)
Message-ID: <031901c7ae6a$68e12360$0601a8c0@pc6>
From: "tom.petch" <cfinss@dial.pipex.com>
To: "Adrien de Croy" <adrien@qbik.com>
References: <BA772834-227A-4C1B-9534-070C50DF05B3@mnot.net><392C98BA-E7B8-44ED-964B-82FC48162924@mnot.net><6AE049B9045C00064222693F@[10.1.110.5]><p06240871c28dd59e7371@[10.20.30.108]><46682BC9.9050504@gmx.de> <46682E06.7030603@cs.utk.edu><46682FC5.5030204@gmx.de> <20070608081032.GA12039@nic.fr><8FEE5444-50F1-4575-9AA3-626C2A03474C@mnot.net> <466F1B3B.3040409@qbik.com>
Subject: Re: RFC2616 vs RFC2617, was: Straw-man charter for http-bis
Date: Thu, 14 Jun 2007 11:29:42 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 82c9bddb247d9ba4471160a9a865a5f3
Cc: Apps Discuss <discuss@apps.ietf.org>, ietf-http-wg@w3.org
X-BeenThere: discuss@apps.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: "tom.petch" <cfinss@dial.pipex.com>
List-Id: general discussion of application-layer protocols <discuss.apps.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=unsubscribe>
List-Post: <mailto:discuss@apps.ietf.org>
List-Help: <mailto:discuss-request@apps.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=subscribe>
Errors-To: discuss-bounces@apps.ietf.org

<inline>
Tom Petch

----- Original Message -----
From: "Adrien de Croy" <adrien@qbik.com>
To: "Mark Nottingham" <mnot@mnot.net>
Cc: "Apps Discuss" <discuss@apps.ietf.org>rg>; <ietf-http-wg@w3.org>
Sent: Wednesday, June 13, 2007 12:16 AM
Subject: Re: RFC2616 vs RFC2617, was: Straw-man charter for http-bis

>
> my experience also is that it is extremely rare to encounter public web
> servers that use any HTTP auth mechanism.
>
> NTLM and Basic auth is often used for intranets, and proxy access.
>
> I've never seen an instance of Digest auth.
>
> Seems to me that the issue of securing communications and authenticating
> or identifying parties are closely aligned, why not just have some form
> of auth built into TLS, then we could use it for any protocol that can
> use TLS, instead of having to implement separate auth schemes for every
> higher protocol.
>
TLS can do that but it does not gel with the way in which (many) organisations
are structured.  Those responsible for security, for security credentials and
their maintenance, do not want to be ferreting around in the depths of a network
stack, they prefer working at application and database level, a point that has
already been alluded to in this thread.

The solution I like to this is channel bindings, as promoted by Nico Williams,
where a weakly authenticated tunnel is set up and then stronger
authentication - which can rely on the strong encryption which is now in place -
is performed via it, eg at application level in the stack.

>
> Mark Nottingham wrote:
> >
> > On 08/06/2007, at 6:10 PM, Stephane Bortzmeyer wrote:
> >
> >> On Thu, Jun 07, 2007 at 06:18:13PM +0200,
> >>  Julian Reschke <julian.reschke@gmx.de> wrote
> >>  a message of 14 lines which said:
> >>
> >>> In the wild, most authentication isn't using RFC2617 anyway.
> >>
> >> Any data here? IMHO, this assertion is not true, unless you limit to
> >> big e-commerce Web sites. For instance, HTTP-based Web services use
> >> 2617.
> >
> > My experience is that it isn't adequate for even those purposes, in
> > many cases.
> >
> > --
> > Mark Nottingham     http://www.mnot.net/

v2.8.7 | Report a Bug | By Email