Re: Authentication over HTTP

Amos Jeffries <> Wed, 17 July 2013 06:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6023521F9CEF for <>; Tue, 16 Jul 2013 23:02:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.572
X-Spam-Status: No, score=-10.572 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ckw9YCuOoYAD for <>; Tue, 16 Jul 2013 23:01:52 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4AD3E21F9CAF for <>; Tue, 16 Jul 2013 23:01:52 -0700 (PDT)
Received: from lists by with local (Exim 4.72) (envelope-from <>) id 1UzKmk-0006IC-9x for; Wed, 17 Jul 2013 06:00:22 +0000
Resent-Date: Wed, 17 Jul 2013 06:00:22 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtp (Exim 4.72) (envelope-from <>) id 1UzKmY-0006HP-Ne for; Wed, 17 Jul 2013 06:00:10 +0000
Received: from ([] by with esmtp (Exim 4.72) (envelope-from <>) id 1UzKmX-0007Rn-CP for; Wed, 17 Jul 2013 06:00:10 +0000
Received: from [] ( []) by (Postfix) with ESMTP id 44422E6F48 for <>; Wed, 17 Jul 2013 17:59:44 +1200 (NZST)
Message-ID: <>
Date: Wed, 17 Jul 2013 17:59:39 +1200
From: Amos Jeffries <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-3.1
X-W3C-Hub-Spam-Report: AWL=-3.104, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: 1UzKmX-0007Rn-CP 0e338ffdccf8791a642dffc4f026d695
Subject: Re: Authentication over HTTP
Archived-At: <>
X-Mailing-List: <> archive/latest/18816
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 17/07/2013 5:34 a.m., Nico Williams wrote:
> On Tue, Jul 16, 2013 at 7:54 AM, Amos Jeffries <> wrote:
>> *Every single claim* that HTTP-auth is broken and needs re-designing seems
>> to me to be based on the flawed assumption that HTTP-auth is not extensible
>> and that the common existing schemes are the only ones HTTP permits. Or that
>> somehow a user authenticating with N different and fragile mechanisms for
>> one transaction is a good thing (I rather disagree, the UX on that would be
>> tricky and implementation nightmares).
> That's either a strawman or you misunderstood the arguments against
> doing authentication in HTTP.  It's not that "HTTP auth is broken",
> but that HTTP is the *wrong layer* -- that's not because HTTP or HTTP
> auth is broken, but because properties of the stack of protocols
> spoken make HTTP auth a problematic proposition.
> BTW, I've not see any arguments about N different mechanisms (fragile
> or not) being a problem.

Maybe I have been misunderstanding some of them. But the auth proposals 
I've seen in the last few years all seem to fall into three brackets 
with regards to their claims about HTTP:

1) "HTTP auth is broken". Aka "do it all in payload entities and have 
HTTP endpoints interpret those" ... well so what? payload format is not 
HTTP. Good luck but go away and do it at a different layer.

2) "HTTP auth is broken". Aka the headers dont let me login user X to 
proxy A and proxy B at the same time, in the same chain, with different 
credentials all controlled by user X ... seem to be making a few wrong 
assumptions about how HTTP works there. Go away and do (1) instead the 
user-application ha sa lot more control over end-to-end pathways in 
application layer.

3) "HTTP auth is broken". Aka its missing a scheme to do mechanism Z ... 
and we do see these followed by specs to do Z in HTTP. But none of them 
are exactly replacing the existing HTTP mechanism design, just extending 
it as it was intended to be extended.

What am I missing?