IETF Logo Mail Archive

Re: Authentication over HTTP

Amos Jeffries <squid3@treenet.co.nz> Wed, 17 July 2013 06:51 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B74121F9C82 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 16 Jul 2013 23:51:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.273
X-Spam-Level:
X-Spam-Status: No, score=-10.273 tagged_above=-999 required=5 tests=[AWL=-0.274, BAYES_00=-2.599, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ud-teIIKPYcS for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 16 Jul 2013 23:51:41 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 0D14721F8438 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 16 Jul 2013 23:51:41 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UzLZh-0003nD-D4 for ietf-http-wg-dist@listhub.w3.org; Wed, 17 Jul 2013 06:50:57 +0000
Resent-Date: Wed, 17 Jul 2013 06:50:57 +0000
Resent-Message-Id: <E1UzLZh-0003nD-D4@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <squid3@treenet.co.nz>) id 1UzLZX-0003ls-H8 for ietf-http-wg@listhub.w3.org; Wed, 17 Jul 2013 06:50:47 +0000
Received: from ip-58-28-153-233.static-xdsl.xnet.co.nz ([58.28.153.233] helo=treenet.co.nz) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <squid3@treenet.co.nz>) id 1UzLZW-00039C-Fd for ietf-http-wg@w3.org; Wed, 17 Jul 2013 06:50:47 +0000
Received: from [192.168.1.218] (ip202-27-218-168.satlan.co.nz [202.27.218.168]) by treenet.co.nz (Postfix) with ESMTP id 24AA4E6F66 for <ietf-http-wg@w3.org>; Wed, 17 Jul 2013 18:50:23 +1200 (NZST)
Message-ID: <51E63EAA.8050606@treenet.co.nz>
Date: Wed, 17 Jul 2013 18:50:18 +1200
From: Amos Jeffries <squid3@treenet.co.nz>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: ietf-http-wg@w3.org
References: <CE0AD74C.22464%Josh.Howlett@ja.net> <51E5428D.7010008@treenet.co.nz> <CAK3OfOg9JZbcnZhHSNrfSViNeV+wyctwYzSKhXpjGf3f_gP+VQ@mail.gmail.com> <51E632CB.9010107@treenet.co.nz> <alpine.LRH.2.01.1307162329540.26279@egate.xpasc.com>
In-Reply-To: <alpine.LRH.2.01.1307162329540.26279@egate.xpasc.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=58.28.153.233; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-3.1
X-W3C-Hub-Spam-Report: AWL=-3.104, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UzLZW-00039C-Fd 5c17a6adb8c21f0b07f32c12efe60857
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Authentication over HTTP
Archived-At: <http://www.w3.org/mid/51E63EAA.8050606@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18818
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 17/07/2013 6:33 p.m., David Morris wrote:
>
> On Wed, 17 Jul 2013, Amos Jeffries wrote:
>
>> On 17/07/2013 5:34 a.m., Nico Williams wrote:
>>> On Tue, Jul 16, 2013 at 7:54 AM, Amos Jeffries wrote:
>>>> *Every single claim* that HTTP-auth is broken and needs re-designing seems
>>>> to me to be based on the flawed assumption that HTTP-auth is not
>>>> extensible
>>>> and that the common existing schemes are the only ones HTTP permits. Or
>>>> that
>>>> somehow a user authenticating with N different and fragile mechanisms for
>>>> one transaction is a good thing (I rather disagree, the UX on that would
>>>> be
>>>> tricky and implementation nightmares).
>>> That's either a strawman or you misunderstood the arguments against
>>> doing authentication in HTTP.  It's not that "HTTP auth is broken",
>>> but that HTTP is the *wrong layer* -- that's not because HTTP or HTTP
>>> auth is broken, but because properties of the stack of protocols
>>> spoken make HTTP auth a problematic proposition.
>>>
>>> BTW, I've not see any arguments about N different mechanisms (fragile
>>> or not) being a problem.
>> Maybe I have been misunderstanding some of them. But the auth proposals I've
>> seen in the last few years all seem to fall into three brackets with regards
>> to their claims about HTTP:
>>
>> 1) "HTTP auth is broken". Aka "do it all in payload entities and have HTTP
>> endpoints interpret those" ... well so what? payload format is not HTTP. Good
>> luck but go away and do it at a different layer.
>>
>> 2) "HTTP auth is broken". Aka the headers dont let me login user X to proxy A
>> and proxy B at the same time, in the same chain, with different credentials
>> all controlled by user X ... seem to be making a few wrong assumptions about
>> how HTTP works there. Go away and do (1) instead the user-application ha sa
>> lot more control over end-to-end pathways in application layer.
>>
>> 3) "HTTP auth is broken". Aka its missing a scheme to do mechanism Z ... and
>> we do see these followed by specs to do Z in HTTP. But none of them are
>> exactly replacing the existing HTTP mechanism design, just extending it as it
>> was intended to be extended.
>>
>> What am I missing?
> How about the user experience sucks because the authentication doesn't fit
> into the style/face of the application and doesn't provide sufficient user
> context for the prompts generated by the auth mechanicanism so the
> application owners design and implement their own approach?

  HTTP provides key=value parameters on the mechanism headers for that 
kind of thing. What can't be expresed as such comes under #1, 
application layer problem. For example, how in heck is HTTP or any 
protocol going to enforce "thou shalt have no password longer than S 
characters long" when the protocol never sees the password at all? or 
similar *GUI* restrictions.

>   Oh, and no
> logout mechanism to cancel browser caching of credentials?

In the stateless HTTP "login" is done by delivering credentials or 
requesting them. But how *do* you "logout" in a stateless protocol? 
Nobody (self included) has produced anything like a good proposal spec 
for resolving that problem AFAIS.

Amos

v2.23.0 | Report a Bug | By Email