IETF Logo Mail Archive

Re: Authentication over HTTP

David Morris <dwm@xpasc.com> Wed, 17 July 2013 06:34 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6389E21F9D12 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 16 Jul 2013 23:34:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.083
X-Spam-Level:
X-Spam-Status: No, score=-10.083 tagged_above=-999 required=5 tests=[AWL=0.516, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id syQR0sZk4B2T for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 16 Jul 2013 23:34:42 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id B6A9421F99C5 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 16 Jul 2013 23:34:42 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UzLJN-0003CS-6V for ietf-http-wg-dist@listhub.w3.org; Wed, 17 Jul 2013 06:34:05 +0000
Resent-Date: Wed, 17 Jul 2013 06:34:05 +0000
Resent-Message-Id: <E1UzLJN-0003CS-6V@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <dwm@xpasc.com>) id 1UzLJE-0003BV-Aa for ietf-http-wg@listhub.w3.org; Wed, 17 Jul 2013 06:33:56 +0000
Received: from c2w3p-2.abacamail.com ([209.133.53.32]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <dwm@xpasc.com>) id 1UzLJ8-00007F-UI for ietf-http-wg@w3.org; Wed, 17 Jul 2013 06:33:56 +0000
Received: from xpasc.com (h-68-164-244-188.snva.ca.megapath.net [68.164.244.188]) by c2w3p-2.abacamail.com (Postfix) with ESMTP id 2081B40374 for <ietf-http-wg@w3.org>; Wed, 17 Jul 2013 06:33:23 +0000 (UTC)
Received: from egate.xpasc.com (egate.xpasc.com [10.1.2.49]) by xpasc.com (8.13.8/8.13.8) with ESMTP id r6H6XMHt027050 for <ietf-http-wg@w3.org>; Tue, 16 Jul 2013 23:33:22 -0700
Date: Tue, 16 Jul 2013 23:33:22 -0700
From: David Morris <dwm@xpasc.com>
Reply-To: 'HTTP Working Group' <ietf-http-wg@w3.org>
To: 'HTTP Working Group' <ietf-http-wg@w3.org>
In-Reply-To: <51E632CB.9010107@treenet.co.nz>
Message-ID: <alpine.LRH.2.01.1307162329540.26279@egate.xpasc.com>
References: <CE0AD74C.22464%Josh.Howlett@ja.net> <51E5428D.7010008@treenet.co.nz> <CAK3OfOg9JZbcnZhHSNrfSViNeV+wyctwYzSKhXpjGf3f_gP+VQ@mail.gmail.com> <51E632CB.9010107@treenet.co.nz>
User-Agent: Alpine 2.01 (LRH 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Milter-Version: master.87-g7939dec
X-AV-Type: clean
X-AV-Accuracy: exact
Received-SPF: pass client-ip=209.133.53.32; envelope-from=dwm@xpasc.com; helo=c2w3p-2.abacamail.com
X-W3C-Hub-Spam-Status: No, score=-4.2
X-W3C-Hub-Spam-Report: AWL=-2.317, BAYES_00=-1.9, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1UzLJ8-00007F-UI 4914430760f192b0e0550e9346dc8cba
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Authentication over HTTP
Archived-At: <http://www.w3.org/mid/alpine.LRH.2.01.1307162329540.26279@egate.xpasc.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18817
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Wed, 17 Jul 2013, Amos Jeffries wrote:

> On 17/07/2013 5:34 a.m., Nico Williams wrote:
> > On Tue, Jul 16, 2013 at 7:54 AM, Amos Jeffries <squid3@treenet.co.nz> wrote:
> > > *Every single claim* that HTTP-auth is broken and needs re-designing seems
> > > to me to be based on the flawed assumption that HTTP-auth is not
> > > extensible
> > > and that the common existing schemes are the only ones HTTP permits. Or
> > > that
> > > somehow a user authenticating with N different and fragile mechanisms for
> > > one transaction is a good thing (I rather disagree, the UX on that would
> > > be
> > > tricky and implementation nightmares).
> > That's either a strawman or you misunderstood the arguments against
> > doing authentication in HTTP.  It's not that "HTTP auth is broken",
> > but that HTTP is the *wrong layer* -- that's not because HTTP or HTTP
> > auth is broken, but because properties of the stack of protocols
> > spoken make HTTP auth a problematic proposition.
> > 
> > BTW, I've not see any arguments about N different mechanisms (fragile
> > or not) being a problem.
> 
> Maybe I have been misunderstanding some of them. But the auth proposals I've
> seen in the last few years all seem to fall into three brackets with regards
> to their claims about HTTP:
> 
> 1) "HTTP auth is broken". Aka "do it all in payload entities and have HTTP
> endpoints interpret those" ... well so what? payload format is not HTTP. Good
> luck but go away and do it at a different layer.
> 
> 2) "HTTP auth is broken". Aka the headers dont let me login user X to proxy A
> and proxy B at the same time, in the same chain, with different credentials
> all controlled by user X ... seem to be making a few wrong assumptions about
> how HTTP works there. Go away and do (1) instead the user-application ha sa
> lot more control over end-to-end pathways in application layer.
> 
> 3) "HTTP auth is broken". Aka its missing a scheme to do mechanism Z ... and
> we do see these followed by specs to do Z in HTTP. But none of them are
> exactly replacing the existing HTTP mechanism design, just extending it as it
> was intended to be extended.
> 
> What am I missing?

How about the user experience sucks because the authentication doesn't fit
into the style/face of the application and doesn't provide sufficient user
context for the prompts generated by the auth mechanicanism so the
application owners design and implement their own approach? Oh, and no
logout mechanism to cancel browser caching of credentials?

v2.23.0 | Report a Bug | By Email