Re: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
Richard Barnes <rlb@ipv.sx> Fri, 09 January 2015 08:27 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4F4C1A86FA for <http-auth@ietfa.amsl.com>; Fri, 9 Jan 2015 00:27:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id trkDJ18oulVG for <http-auth@ietfa.amsl.com>; Fri, 9 Jan 2015 00:27:26 -0800 (PST)
Received: from mail-la0-f44.google.com (mail-la0-f44.google.com [209.85.215.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 987541A86EB for <http-auth@ietf.org>; Fri, 9 Jan 2015 00:27:25 -0800 (PST)
Received: by mail-la0-f44.google.com with SMTP id gd6so13370746lab.3 for <http-auth@ietf.org>; Fri, 09 Jan 2015 00:27:24 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=7JLlNvxyKxR8/RDzKYnJpFSMusCNlf+R+Y4JLhWTr6w=; b=Y1nYq9GIrMbCR2Kbj58rw3gLWjNjSl3oFD2ysqElMr+dBu6krZ3jnBVifzV5HaJ3ok OUGEi4dAzoEdjJRMi4BBACGGJIVGu07TA3Mqnle2ztyczYZTlV0mDw+E76Qlr8p0VCKK cuU8UiCbfWsMWhZfeZtnxAhnQ/ofMFXwKkcfDGOOFCipwiFpFqOwYuF/wtRw4xmg+kvU 88HCZ/u0FqAdyXegd8lF1bUUsWiE3Taxee66xcYiA2gO29B8xQOvwH1uUlcWEpdCAusT jFmzv16od+d6KAJ+DjfwitPod/46EdHmSWQbQpOXltAgEO3TxKM/iUcVaPA/HuBnfezS 5N1w==
X-Gm-Message-State: ALoCoQn7bcMHp54m4Bx1lbQoWElIHhKMVlQPAkWUr5enCVMFaScPvlyp1RnrmWi+iQkmnwLdBNFN
MIME-Version: 1.0
X-Received: by 10.152.5.67 with SMTP id q3mr20065515laq.73.1420792043949; Fri, 09 Jan 2015 00:27:23 -0800 (PST)
Received: by 10.25.12.215 with HTTP; Fri, 9 Jan 2015 00:27:23 -0800 (PST)
In-Reply-To: <54AF7BB1.9070204@gmx.de>
References: <20150108002015.24345.3508.idtracker@ietfa.amsl.com> <54ADD6E9.2060200@cs.tcd.ie> <54AF7BB1.9070204@gmx.de>
Date: Fri, 09 Jan 2015 08:27:23 +0000
Message-ID: <CAL02cgSD1Q+Bjd6j=1DkuE6L7rh=nmFAOd+m1bbT=7JupzG5Uw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: multipart/alternative; boundary="089e013d1734146606050c33ed59"
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/Dv7JYCWmxni0ndmRQ4GXi8L7EtQ>
Cc: draft-ietf-httpauth-hoba.all@tools.ietf.org, http-auth@ietf.org, httpauth-chairs@tools.ietf.org, The IESG <iesg@ietf.org>
Subject: Re: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jan 2015 08:27:27 -0000
On Fri, Jan 9, 2015 at 6:56 AM, Julian Reschke <julian.reschke@gmx.de> wrote: > On 2015-01-08 02:01, Stephen Farrell wrote: > >> ... >> >>> without impacting >>> anything else on the server. >>> >> >> Where is that stated? Wouldn't that mean that using cookies after >> an HTTP auth somehow didn't conform? Wouldn't that be nonsense? >> (And possibly indicate an issue with 7235 but not HOBA.) >> ... >> > > RFC 7235 is agnostic of cookies, it's a complete separate construct. > > Furthermore, cookies are entirely OPTIONAL in HTTP, at least in theory. If > HOBA requires cookie support to make the HOBA HTTP authentication work > (does it), it might make sense to say that clearly. > > Best regards, Julian > Julian, Rather than cookies, my concern was that this authentication scheme isn't scoped to the authenticating resource. In addition to the authenticating resource, the authentication process needs to have access to the resource .well-known/hoba/register on the same host. Does that cause you any architectural concern? I cleared because I felt like I could live with it for Experimental. This pattern would not fly with me for PS. --Richard
- [http-auth] Richard Barnes' Discuss on draft-ietf… Richard Barnes
- Re: [http-auth] Richard Barnes' Discuss on draft-… Stephen Farrell
- Re: [http-auth] Richard Barnes' Discuss on draft-… Paul Hoffman
- Re: [http-auth] Richard Barnes' Discuss on draft-… Stephen Farrell
- Re: [http-auth] Richard Barnes' Discuss on draft-… Richard Barnes
- Re: [http-auth] Richard Barnes' Discuss on draft-… Stephen Farrell
- Re: [http-auth] Richard Barnes' Discuss on draft-… Richard Barnes
- Re: [http-auth] Richard Barnes' Discuss on draft-… Stephen Farrell
- Re: [http-auth] Richard Barnes' Discuss on draft-… Kathleen Moriarty
- Re: [http-auth] Richard Barnes' Discuss on draft-… Stephen Farrell
- Re: [http-auth] Richard Barnes' Discuss on draft-… Kathleen Moriarty
- Re: [http-auth] Richard Barnes' Discuss on draft-… Stephen Farrell
- Re: [http-auth] Richard Barnes' Discuss on draft-… Julian Reschke
- Re: [http-auth] Richard Barnes' Discuss on draft-… Barry Leiba
- Re: [http-auth] Richard Barnes' Discuss on draft-… Richard Barnes
- Re: [http-auth] Richard Barnes' Discuss on draft-… Julian Reschke