IETF Logo Mail Archive

Re: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)

Julian Reschke <julian.reschke@gmx.de> Fri, 09 January 2015 06:57 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 879AE1A0055; Thu, 8 Jan 2015 22:57:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YmmzMrv08wsS; Thu, 8 Jan 2015 22:57:37 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E151B1A701E; Thu, 8 Jan 2015 22:57:36 -0800 (PST)
Received: from [192.168.2.175] ([93.217.109.11]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0MU1MP-1YHtYH2Hk9-00QhQh; Fri, 09 Jan 2015 07:57:05 +0100
Message-ID: <54AF7BB1.9070204@gmx.de>
Date: Fri, 09 Jan 2015 07:56:49 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Richard Barnes <rlb@ipv.sx>, The IESG <iesg@ietf.org>
References: <20150108002015.24345.3508.idtracker@ietfa.amsl.com> <54ADD6E9.2060200@cs.tcd.ie>
In-Reply-To: <54ADD6E9.2060200@cs.tcd.ie>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:30XXfZ1C4yZmRy81TA1vHllEBwypijk3gGMdMrAqhLsUyBFRfQ2 QPiCoiJ0l9uCcDsU8Kk1kr5FJ7fwT8VgxK+VqepRerF89rM+8PO4OsFIrJlTSHaeaYLSDZS TaZi1cLXxgXc9JWbMPgtopUlMDmlQILOte6gh97hUXtpYW6MitwCv28WBybVpGo2A0AMDW7 SfhfCe4Lj5VRdze/aoLJQ==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/9N5hU8UFPgF8b8yHJkEZqCgzIZE>
Cc: draft-ietf-httpauth-hoba.all@tools.ietf.org, http-auth@ietf.org, httpauth-chairs@tools.ietf.org
Subject: Re: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jan 2015 06:57:44 -0000

On 2015-01-08 02:01, Stephen Farrell wrote:
> ...
>> without impacting
>> anything else on the server.
>
> Where is that stated? Wouldn't that mean that using cookies after
> an HTTP auth somehow didn't conform? Wouldn't that be nonsense?
> (And possibly indicate an issue with 7235 but not HOBA.)
> ...

RFC 7235 is agnostic of cookies, it's a complete separate construct.

Furthermore, cookies are entirely OPTIONAL in HTTP, at least in theory. 
If HOBA requires cookie support to make the HOBA HTTP authentication 
work (does it), it might make sense to say that clearly.

Best regards, Julian

v2.23.0 | Report a Bug | By Email