Re: Authentication over HTTP
Albert Lunde <atlunde@panix.com> Wed, 17 July 2013 11:06 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17E2421F9D65 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Jul 2013 04:06:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.932
X-Spam-Level:
X-Spam-Status: No, score=-9.932 tagged_above=-999 required=5 tests=[AWL=0.667, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xxteQsiC2ifL for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Jul 2013 04:06:48 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 59E5621F9477 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 17 Jul 2013 04:06:45 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UzPXt-0004DV-Ol for ietf-http-wg-dist@listhub.w3.org; Wed, 17 Jul 2013 11:05:21 +0000
Resent-Date: Wed, 17 Jul 2013 11:05:21 +0000
Resent-Message-Id: <E1UzPXt-0004DV-Ol@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <atlunde@panix.com>) id 1UzPXk-0004Cm-0T for ietf-http-wg@listhub.w3.org; Wed, 17 Jul 2013 11:05:12 +0000
Received: from mailbackend.panix.com ([166.84.1.89]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <atlunde@panix.com>) id 1UzPXj-0001co-8V for ietf-http-wg@w3.org; Wed, 17 Jul 2013 11:05:11 +0000
Received: from [192.168.15.3] (unknown [50.9.9.201]) by mailbackend.panix.com (Postfix) with ESMTP id 1268228D1D; Wed, 17 Jul 2013 07:04:49 -0400 (EDT)
Message-ID: <51E67A53.9020607@panix.com>
Date: Wed, 17 Jul 2013 06:04:51 -0500
From: Albert Lunde <atlunde@panix.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: ietf-http-wg@w3.org
References: <CE0AD74C.22464%Josh.Howlett@ja.net> <51E5428D.7010008@treenet.co.nz> <CAK3OfOg9JZbcnZhHSNrfSViNeV+wyctwYzSKhXpjGf3f_gP+VQ@mail.gmail.com> <51E632CB.9010107@treenet.co.nz> <alpine.LRH.2.01.1307162329540.26279@egate.xpasc.com> <51E63EAA.8050606@treenet.co.nz>
In-Reply-To: <51E63EAA.8050606@treenet.co.nz>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=166.84.1.89; envelope-from=atlunde@panix.com; helo=mailbackend.panix.com
X-W3C-Hub-Spam-Status: No, score=-3.6
X-W3C-Hub-Spam-Report: AWL=-0.876, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.394, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1UzPXj-0001co-8V b134b9e4ed815aeebd6bf59e0290b900
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Authentication over HTTP
Archived-At: <http://www.w3.org/mid/51E67A53.9020607@panix.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18820
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
One area of previous work that may be relevant is Web-Single-Signon systems. These tend to rely on some unattractive mix of JavaScript, cookies, and other gimmicks to complete the authentication exchange, but they are representative of what people have tried to layer on top of HTTP/1.1 to replace Basic auth, and provide sessions of a sort. Shibboleth and CAS are notable examples using SAML and Kerberos respectively. It seems like there are use cases to delegate authentication to a trusted third-party and/or maintain sessions. There may be some mechanisms that HTTP/2.0 could support to make this easier, but it's a different question than just the framework used by Basic and Digest auth.
- Re: Authentication over HTTP Poul-Henning Kamp
- Re: Authentication over HTTP Yoav Nir
- Re: Authentication over HTTP Henry Story
- Re: Authentication over HTTP Poul-Henning Kamp
- Re: Authentication over HTTP Yoav Nir
- Authentication over HTTP M Stefan
- Re: Authentication over HTTP J Ross Nicoll
- Re: Authentication over HTTP Nicolas Mailhot
- Re: Authentication over HTTP Ludin, Stephen
- Re: Authentication over HTTP Henry Story
- Re: Authentication over HTTP J Ross Nicoll
- Re: Authentication over HTTP Adrien W. de Croy
- Re: Authentication over HTTP Nico Williams
- Re: Authentication over HTTP Nico Williams
- Re: Authentication over HTTP Henry Story
- Re: Authentication over HTTP Josh Howlett
- Re: Authentication over HTTP Amos Jeffries
- Re: Authentication over HTTP Bjoern Hoehrmann
- Re: Authentication over HTTP Nico Williams
- Re: Authentication over HTTP Amos Jeffries
- Re: Authentication over HTTP David Morris
- Re: Authentication over HTTP Amos Jeffries
- Re: Authentication over HTTP Yoav Nir
- Re: Authentication over HTTP Albert Lunde
- Re: Authentication over HTTP Nicolas Mailhot
- Re: Authentication over HTTP Nico Williams
- Re: Authentication over HTTP Nico Williams
- Re: Authentication over HTTP Nico Williams
- Re: Authentication over HTTP Amos Jeffries
- Re: Authentication over HTTP Nico Williams
- Re: Authentication over HTTP Nicolas Mailhot
- Re: Authentication over HTTP Adrien W. de Croy