Re: [http-auth] WGLC on the MutualAuth drafts

大岩寛 <> Tue, 05 July 2016 04:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C6AC912B02B for <>; Mon, 4 Jul 2016 21:24:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3UWqpsBAueXu for <>; Mon, 4 Jul 2016 21:24:23 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1B5DE12D0B4 for <>; Mon, 4 Jul 2016 21:24:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ivE9qS1G/ihyRp+eANoHRqpAayz+zQjgJVAcwaSUFeo=; b=WPCVYngyEZUFQYjj/Tonmifk+K6LwP4YdaC0xWU+qRoH9HzEDHe49hNosZSiNI+d/mSZv90Fe+ocGe5JzQYbaz/BGJnKQOihw76SSo3UJtfbMK3MhIUfGFYWmCklRQdev5P/kxpbX8OQjIE7nIiHkb1ZTkz/o/fnRZ4ZxAMVXuQ=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.534.14; Tue, 5 Jul 2016 04:24:19 +0000
Received: from ([]) by ([]) with mapi id 15.01.0534.015; Tue, 5 Jul 2016 04:24:19 +0000
From: 大岩寛 <>
To: Julian Reschke <>, Yoav Nir <>, httpauth mailing list <>
Thread-Topic: [http-auth] WGLC on the MutualAuth drafts
Thread-Index: AQHRuENrc1e38ZKqGkCihIB/WT6FWZ/vH9GAgBpU3/A=
Date: Tue, 05 Jul 2016 04:24:19 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 58a28af5-fc08-4bcb-b340-08d3a48c3be4
x-microsoft-exchange-diagnostics: 1; TY1PR01MB0585; 6:SK8goANn6y5VallodpQqfdpzmGrqOFkW8jsKq+SvIVDUHwUV6Lna0IJmZu/s18/hLltbbiq+xZDDz7M2X7S+PDief+Nw62XBoWaUen+zBm/qKtm5tTCqFp3yJ/yUpfAGyLsYozCoqCK+N2rLMuqdR7ZiruOZsAAVP7AkonOAOd9aUgU6XriDmKiYRuo0bzydyNsemQCKMTK0wajs9fQx68uAPIY912QJOx+Y3xDClmjfby7nQpsNGo88epnR4Q1KzDbWPcZCslVK4sJbOw5kJFpC0KPs0nGniGbmHuw1pNNnDv/ogEotV7SwCaxJoZYlZ3YG+kbGZ+S1kPujDCCVCA==; 5:5sHyEn775hyKdaFpyAFQRzdL4XRjH02BdQ0XTJmjkXc+9d5ElzfaVcfjVBFf0miftQ0is7kDu5Ly8eKY31Ha5ytKyGDiKZUPU98ZanL26/y71SgfUdULoHIjUHgkei3lqBWHiyE4ues4cqV2isnc7A==; 24:s5xlebG6w/64/zh4t5S30nEYulHNP3m3HVZD8ya1V7c0LRScIzmYeCK7Oi+r4A1lnMoLgpuolhtAOg/GTb7VEZdHuE3TEcVK/1NiSimZC8g=; 7:w6cfLlCe+z4bRROhghU5rfi6id/LDkqxcenPcmHGlunIdNSiRDhzM9ZbpyC9AuuG1+1BFj1Lzz7EvTnkJYxsuwOsMmKjTt4bwcs4rYAbXyxu/a8ndllUIBRkl1nH2KPaG5lwoHXe6m2zelKHQaVwxWd1aDU+SZF3urDGG7AbGkW820pEjtS38IGz0+FuhEchUBc9ifQzoTm+azy08Necahm7b93LKuzRuZ4Vn+1iyJl18lFIXncPSf7MmZCtRcc5
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:TY1PR01MB0585;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(275740015457677);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026); SRVR:TY1PR01MB0585; BCL:0; PCL:0; RULEID:; SRVR:TY1PR01MB0585;
x-forefront-prvs: 0994F5E0C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(45984002)(51444003)(199003)(69234005)(189002)(74482002)(5002640100001)(97736004)(106356001)(106116001)(105586002)(3280700002)(3660700001)(189998001)(107886002)(8936002)(92566002)(3846002)(74316002)(305945005)(102836003)(6116002)(586003)(85182001)(77096005)(87936001)(68736007)(15975445007)(7846002)(101416001)(86362001)(2950100001)(2900100001)(9686002)(66066001)(7696003)(7736002)(5003600100003)(11100500001)(10400500002)(19580395003)(2906002)(5001770100001)(19580405001)(76576001)(122556002)(8676002)(54356999)(76176999)(81166006)(81156014)(50986999)(8666005)(33656002)(7059030); DIR:OUT; SFP:1101; SCL:1; SRVR:TY1PR01MB0585;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jul 2016 04:24:19.5381 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 18a7fec8-652f-409b-8369-272d9ce80620
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY1PR01MB0585
Archived-At: <>
Subject: Re: [http-auth] WGLC on the MutualAuth drafts
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: HTTP authentication methods <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Jul 2016 04:24:26 -0000

Dear Julian,

Thank you very much for very valuable comments.
I reflected most of your comments into the draft and
the draft is now on
I'll submit it to IETF around tomorrow.

About three points which seems important...

> b) this introduces a syntax for private extensions that is awfully similar to
> the "x-" convention that we just deprecated a few years ago...

I'm of course aware of the discussion on "x-dash-considered-harmful", and
the current specification carefully follows the practice defined in
RFC6648 (BCP178).  In particular, it treats domain-based keywords
"just as a namespace", which is similar to the SSH algorithm specifiers.
The revised draft clarifies that the "official" extensions can also use
domain-based keywords if they want.
("x-" is especially considered harmful when it requires to 
 handle them specially, differently from non-x things.)

I think that, as an extension point, it is important for
developers to easily deploy their experimental ideas to try.
Another idea is to lower the IANA registry barrier to just
"first-come-first-serve", but it may let IANA process many trivial
(almost garbage-like) registrations.

> I'm not totally convinced that a new header field is needed here? Is
> there a reason why sending "WWW-Authenticate" with a 2xx response
> wouldn't work?
> (And yes, we probably discussed this several times already, but it would
> be good to summarize the outcome over here)

I'll add some text regarding this.

> FYI: I'm in the process of revising RFC 5987, and that ABNF production
> is going to be removed. Seems we need to coordinate here.

Can you tell us some more detail about this?
May be we also need to coordinate with the Chairs about the scheduling.

Yutaka OIWA, Ph.D.       Leader, Cyber Physical Architecture Research Group
                                  Information Technology Research Institute
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <>, <>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]