IETF Logo Mail Archive

Re: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)

Barry Leiba <barryleiba@computer.org> Fri, 09 January 2015 07:15 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77DC11A86E6; Thu, 8 Jan 2015 23:15:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YgTX0v9vFROn; Thu, 8 Jan 2015 23:15:08 -0800 (PST)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 043641A86DF; Thu, 8 Jan 2015 23:15:07 -0800 (PST)
Received: by mail-lb0-f181.google.com with SMTP id l4so6752748lbv.12; Thu, 08 Jan 2015 23:15:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=ZJBJhvSyEuMx5FpXmXnNZl0wCNIJXmUO/EJMOnBtpIA=; b=EhIvkNH35kNOxcFltH/BY4cCic1w5i2iGduR96Pt/CyAIQThYR+JUBSdxHrHOf6G5f r70bOD9gDIyXiIjq1rUDmu6j9JDgxkadDs4nx8aDTJvR99Kfv7FSoJJkfow26mUPtbqo 2DCRNIHz6esL0BRgglXEJPi4OGCoGtxOPSo6e7+LRswEtNvhZV1LljnMiClpQ4X1CMJK QyrSAHAg1riaSqKi+arsoQYCDKRGELcbKwzf17AHkc+DTWqV10sGD2vQz+WXrVp/Cre1 5pjJ6lPx6DqYenE1TyIOCeEUnMPDjCNSzkDfHrXMGWZ1TIoaN3LgWgwqS3d3/kX6T7S2 0uSg==
MIME-Version: 1.0
X-Received: by 10.152.44.193 with SMTP id g1mr19685883lam.15.1420787706176; Thu, 08 Jan 2015 23:15:06 -0800 (PST)
Sender: barryleiba@gmail.com
Received: by 10.152.127.168 with HTTP; Thu, 8 Jan 2015 23:15:06 -0800 (PST)
In-Reply-To: <54AF7BB1.9070204@gmx.de>
References: <20150108002015.24345.3508.idtracker@ietfa.amsl.com> <54ADD6E9.2060200@cs.tcd.ie> <54AF7BB1.9070204@gmx.de>
Date: Fri, 09 Jan 2015 15:15:06 +0800
X-Google-Sender-Auth: SLuJ4OdMAavqEEdCZzAVkKT6kW4
Message-ID: <CALaySJKYpcOmx02HJ=oZSKgn1jtNOROK1a5KaDg4KGx3swx6qA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/SHlRUbUYFcs3Lmt48MvQxH398Hc>
Cc: "httpauth-chairs@tools.ietf.org" <httpauth-chairs@tools.ietf.org>, Richard Barnes <rlb@ipv.sx>, "draft-ietf-httpauth-hoba.all@tools.ietf.org" <draft-ietf-httpauth-hoba.all@tools.ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [http-auth] Richard Barnes' Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jan 2015 07:15:10 -0000

> Furthermore, cookies are entirely OPTIONAL in HTTP, at least in theory. If
> HOBA requires cookie support to make the HOBA HTTP authentication work (does
> it), it might make sense to say that clearly.

It doesn't, and I think it says *that* clearly.  That is, it says that
cookies can be used, and are typically used, but nowhere that they're
required.

Without cookies, I believe the client would have to re-send the
challenge-response with each request, until the challenge expires
(max-age), after which it would receive and handle a new challenge.
Cookies make things more convenient and save overhead.

Barry

v2.23.0 | Report a Bug | By Email