Re: [http-auth] FW: New Version Notification for draft-woodworth-json-http-auth-00.txt

"Woodworth, John R" <> Sun, 05 March 2017 21:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7231012949B for <>; Sun, 5 Mar 2017 13:10:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id J2pixVGvhr3I for <>; Sun, 5 Mar 2017 13:10:55 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A7611129488 for <>; Sun, 5 Mar 2017 13:10:55 -0800 (PST)
Received: from ( []) by (8.14.8/8.14.8) with ESMTP id v25LAotO023808 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 5 Mar 2017 14:10:51 -0700
Received: from (unknown []) by IMSA (Postfix) with ESMTP id 9D7731E0049; Sun, 5 Mar 2017 15:10:45 -0600 (CST)
Received: from lxdnp31k.corp.intranet (unknown []) by (Postfix) with ESMTP id 769621E0032; Sun, 5 Mar 2017 15:10:45 -0600 (CST)
Received: from lxdnp31k.corp.intranet (localhost []) by lxdnp31k.corp.intranet (8.14.8/8.14.8) with ESMTP id v25LAjE1052593; Sun, 5 Mar 2017 14:10:45 -0700
Received: from vodcwhubex502.ctl.intranet (vodcwhubex502.ctl.intranet []) by lxdnp31k.corp.intranet (8.14.8/8.14.8) with ESMTP id v25LAfWC052574 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 5 Mar 2017 14:10:45 -0700
Received: from PODCWMBXEX501.ctl.intranet ([]) by vodcwhubex502.ctl.intranet ([]) with mapi id 14.03.0294.000; Sun, 5 Mar 2017 15:10:43 -0600
From: "Woodworth, John R" <>
To: 'Julian Reschke' <>, "" <>
Thread-Topic: [http-auth] FW: New Version Notification for draft-woodworth-json-http-auth-00.txt
Thread-Index: AQHSk/274hOGmOJRSkapVznP/gi4aqGC1A8wgAOoowCAADw5UA==
Date: Sun, 05 Mar 2017 21:10:42 +0000
Message-ID: <A05B583C828C614EBAD1DA920D92866BD06ED4B6@PODCWMBXEX501.ctl.intranet>
References: <> <A05B583C828C614EBAD1DA920D92866BD06ED074@PODCWMBXEX501.ctl.intranet> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
X-CFilter-Loop: Reflected
Archived-At: <>
Cc: "Ballew, Dean" <>
Subject: Re: [http-auth] FW: New Version Notification for draft-woodworth-json-http-auth-00.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: HTTP authentication methods <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 05 Mar 2017 21:10:56 -0000

> -----Original Message-----
> From: Julian Reschke []
> On 2017-03-03 10:16, Woodworth, John R wrote:
> > All,
> >
> > I understand this is late to the party but was hoping some of you
> > may have time to review our new draft.  We welcome any questions,
> > comments and assistance from the group.
> > ...
> Hi there,
> a few formal nits:
> - please don't put "httpauth" on the front page if the draft isn't
> a Working Group draft - that said, *do* add a note to the front page
> with instructions where to send feedback (this list is fine for that)

Hi Julian,

First, thank you for looking at our draft and your comments, we are
very excited to have feedback so quickly.

We understand listing the intended WG is premature and it will be
removed as suggested.

> - you IPR statement looks weird:
> > This document may contain material from IETF Documents or IETF
> > Contributions published or made publicly available before November 10,
> > 2008.

Again, thank you.

This is an oversight and was mistakenly left in from another draft we
are working on.  It will be removed in our next release.

> - registering a whole set of auth schemes isn't going to fly; please
> also consider removing the somewhat weird pipe characters from
> the scheme name...

This draft is currently experimental but intended to be somewhat of
an umbrella for a "class" of schemes.  We understand this may be
different than currently available schemes but it is something which
makes ours different.  Any advice you have for registering a scheme
"class" would be appreciated.

The pipe is rather critical to the draft as it is used as an
"indicator" for intent.  As I understand it, it is a legal character
and was chosen for another project we are working on as others were
unavailable to the scheme name.  We are rather happy with the way
it is currently working in our implementation and felt it would be
a good idea to share our solution with an even larger community.

It (the pipe) is used to indicate our scheme "class" and allow for
scripts in the browser to offer authentication ahead of the built-in
logic offered by the browser.  For example, if one tries to implement
the "Basic" scheme in a script providing a pretty themed page, it
will undoubtedly be rudely intercepted by the browser via an ugly
login popup without any scripting or theming capabilities.  Our
draft hopes to offer an alternate path.

We debated taking it (the pipe) out of some of the titles and
references but the protocol chaining feature we are introducing
relies on it in order to properly function.

Thanks again,

> Best regards, Julian

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.