Re: [http-auth] Quick review of draft-ietf-httpauth-rest-auth-01
Julian Reschke <julian.reschke@gmx.de> Thu, 07 November 2013 01:57 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B5CC21E81A6 for <http-auth@ietfa.amsl.com>; Wed, 6 Nov 2013 17:57:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.347
X-Spam-Level:
X-Spam-Status: No, score=-104.347 tagged_above=-999 required=5 tests=[AWL=-1.748, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NI2ynOLml2+p for <http-auth@ietfa.amsl.com>; Wed, 6 Nov 2013 17:57:11 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id ADD0B11E81FA for <http-auth@ietf.org>; Wed, 6 Nov 2013 17:57:08 -0800 (PST)
Received: from [31.133.151.131] ([31.133.151.131]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0M1Fe4-1VtRLX1bgG-00tBd7 for <http-auth@ietf.org>; Thu, 07 Nov 2013 02:57:07 +0100
Message-ID: <527AF374.5040109@gmx.de>
Date: Wed, 06 Nov 2013 17:57:08 -0800
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, http-auth@ietf.org
References: <20131106162924.GB8185@LK-Perkele-VII>
In-Reply-To: <20131106162924.GB8185@LK-Perkele-VII>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:jeiUb+yOE8bxizerztBGKFpgJLXOHkRfhWXooxkLGD4zXGamQ2C 9Y4slan8qQ8Un9h9Xa8e3+yD3s+Wcpt0f9N6wYd3fcMidaE+HQrB6xgeDbyFgJ+MAZHiPLG IHNDwx0HmAcWoEeKvNCAA3DhTT2QEEsRVS/bX54m92+7guKe9mkFJbgjG4k1d7XEyROG65a 0uFse6NzAa4W6U31oVa5Q==
Subject: Re: [http-auth] Quick review of draft-ietf-httpauth-rest-auth-01
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 01:57:31 -0000
On 2013-11-06 08:29, Ilari Liusvaara wrote: >> 1. Introduction >> >> We propose a pattern for HTTP [RFC2616] [TODO: add reference to >> HTTP/2.0 as well?] authentication mechanisms that, by being >> "RESTful", obtains these goals naturally. > > Reference for HTTP/2.0 would be draft-ietf-httpbis-http2 Please stop referencing RFC 2616. HTTPbis is past IETF LC. >> 3.1. Negotiable Parameters >> >> 3.1.2. WWW-Authenticate Header Value Prefix Syntax >> >> For a DIGEST-like mechanism it might look like "WWW-Authenticate: RA- >> Digest-SHA-256 tls-server-end-point session-ID no HE4SgWGrd/ >> 3+O7t16HqusA==". For example, the mechname for the Kerberos V5 GSS- >> API mechanism might be "gss-krb5", and a WWW-Authenticate header >> value for it might look like "WWW-Authenticate: RA-gss-krb5 >> http://foo.example/restauth-login tls-server-end-point channel-bound- >> session-ID r=no". > > These examples don't look to conform to the grammar given (missing r=, s=, > etc...) > ... Furthermore, the challenge does not conform to the grammar defined in <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-24.html#challenge.and.response> (nor <http://greenbytes.de/tech/webdav/rfc2617.html#access.authentication.framework>). Best regards, Julian
- [http-auth] Quick review of draft-ietf-httpauth-r… Ilari Liusvaara
- Re: [http-auth] Quick review of draft-ietf-httpau… Julian Reschke
- Re: [http-auth] Quick review of draft-ietf-httpau… Nico Williams
- Re: [http-auth] Quick review of draft-ietf-httpau… Julian Reschke
- Re: [http-auth] Quick review of draft-ietf-httpau… Martin J. Dürst