Re: Authentication over HTTP

Josh Howlett <Josh.Howlett@ja.net> Tue, 16 July 2013 10:06 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95DAB11E8276 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 16 Jul 2013 03:06:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.474
X-Spam-Level:
X-Spam-Status: No, score=-6.474 tagged_above=-999 required=5 tests=[AWL=4.125, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sySRvjhWY+wg for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 16 Jul 2013 03:06:05 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id F001F11E8294 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 16 Jul 2013 03:06:00 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Uz28I-0000dy-3j for ietf-http-wg-dist@listhub.w3.org; Tue, 16 Jul 2013 10:05:22 +0000
Resent-Date: Tue, 16 Jul 2013 10:05:22 +0000
Resent-Message-Id: <E1Uz28I-0000dy-3j@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <Josh.Howlett@ja.net>) id 1Uz289-0000dA-GF for ietf-http-wg@listhub.w3.org; Tue, 16 Jul 2013 10:05:13 +0000
Received: from egw002.ukerna.ac.uk ([194.81.3.65]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <Josh.Howlett@ja.net>) id 1Uz283-0004kx-QF for ietf-http-wg@w3.org; Tue, 16 Jul 2013 10:05:13 +0000
Received: from egw002.ukerna.ac.uk (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 187B320C7505_1E51AB9B; Tue, 16 Jul 2013 10:04:41 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk (exc001.atlas.ukerna.ac.uk [193.62.83.37]) by egw002.ukerna.ac.uk (Sophos Email Appliance) with ESMTP id D99AE20C70FE_1E51AB8F; Tue, 16 Jul 2013 10:04:40 +0000 (GMT)
Received: from EXC001.atlas.ukerna.ac.uk ([193.62.83.37]) by EXC001 ([193.62.83.37]) with mapi id 14.02.0247.003; Tue, 16 Jul 2013 11:04:40 +0100
From: Josh Howlett <Josh.Howlett@ja.net>
To: Nico Williams <nico@cryptonector.com>, Yoav Nir <ynir@checkpoint.com>
CC: M Stefan <mstefanro@gmail.com>, "<ietf-http-wg@w3.org>" <ietf-http-wg@w3.org>
Thread-Topic: Authentication over HTTP
Thread-Index: AQHOgOhFIv/GZF/4yE24IkQII2BfbJllPPAAgAGKsICAAE5MgA==
Date: Tue, 16 Jul 2013 10:04:40 +0000
Message-ID: <CE0AD74C.22464%Josh.Howlett@ja.net>
In-Reply-To: <CAK3OfOjtoUXxiypXGEZv+VBRHuC3VAF3TGivU0siFy7nycOhvg@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.5.130515
x-originating-ip: [194.82.140.76]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <3568873389BC624E87DEAA0497E04077@ukerna.ac.uk>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Received-SPF: none client-ip=194.81.3.65; envelope-from=Josh.Howlett@ja.net; helo=egw002.ukerna.ac.uk
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.450
X-W3C-Scan-Sig: lisa.w3.org 1Uz283-0004kx-QF 6d0554d0340125e57ba47e6f227a59af
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Authentication over HTTP
Archived-At: <http://www.w3.org/mid/CE0AD74C.22464%25Josh.Howlett@ja.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18802
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

>
>That leaves only the application layer as the best suited for
>authentication of identities (and/or resolution to attributes) that
>the service needs for authorization (or even in the other direction).
>This, I know, is a bit of a controversial opinion.  My proposal is
>here: http://tools.ietf.org/html/draft-williams-http-rest-auth-01
>(ah, I need to submit the WG version).

I agree with this analysis. No single mechanism will meet every need. It
is more important that HTTP has the agility to allow different mechanisms
on a per-application basis, while maintaining a consistent presentation to
users and application developers (as Nico's proposal allows). Binding
specific mechanisms to the protocol, as in HTTP/1.1, would be an error IMO.

Josh.


Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238