IETF Logo Mail Archive

Re: Authentication over HTTP

Nico Williams <nico@cryptonector.com> Wed, 17 July 2013 17:59 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B94FA21F9C53 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Jul 2013 10:59:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.477
X-Spam-Level:
X-Spam-Status: No, score=-6.477 tagged_above=-999 required=5 tests=[AWL=3.500, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FUx+QYYD-BRB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Jul 2013 10:59:27 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 0787421F9D0E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 17 Jul 2013 10:59:26 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UzVzd-0000Uk-Rz for ietf-http-wg-dist@listhub.w3.org; Wed, 17 Jul 2013 17:58:25 +0000
Resent-Date: Wed, 17 Jul 2013 17:58:25 +0000
Resent-Message-Id: <E1UzVzd-0000Uk-Rz@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1UzVzV-0000Tz-9K for ietf-http-wg@listhub.w3.org; Wed, 17 Jul 2013 17:58:17 +0000
Received: from mailbigip.dreamhost.com ([208.97.132.5] helo=homiemail-a88.g.dreamhost.com) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1UzVzU-0003uw-8f for ietf-http-wg@w3.org; Wed, 17 Jul 2013 17:58:17 +0000
Received: from homiemail-a88.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a88.g.dreamhost.com (Postfix) with ESMTP id 2C19C26406B for <ietf-http-wg@w3.org>; Wed, 17 Jul 2013 10:57:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=udqokdhTVOY6Y0IqH5DH 2MPbZ88=; b=kvfHsLi73nHXFpsg8BG9St8Hp2CuUrdNftXtEYOKBAA0y90sKj2K R+tbABdi7vWuE+8ljCXMEEC37gF6CS6dVQDJL9cuWkY9SaQNQS58Qjefn0//f10m 1v5cIpoqoISCKrkUvuRpj1zArY0dO7JRNtHplmz5Pr1O4yCStEBcH1s=
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a88.g.dreamhost.com (Postfix) with ESMTPSA id C120D264060 for <ietf-http-wg@w3.org>; Wed, 17 Jul 2013 10:57:54 -0700 (PDT)
Received: by mail-wi0-f178.google.com with SMTP id k10so2300157wiv.5 for <ietf-http-wg@w3.org>; Wed, 17 Jul 2013 10:57:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=CuXHp0Hs55PXz0E03+5DiZLDxQnRb6dSrtaFYCG74dk=; b=lhOnK1c51oV0STV6Oin7G/tGaBNmCmLSiW1ZUq/cRWGQvbYkaxEA7aMdlq8OodVphu XsdCxxJefJrPo1a/TyugjpokDENZjET3SgB4Jw5R+ZuafsrtuGJ0D+IiqRVDL/NQLJlX pi85Qyh7QIEiYmc8nMVx5VncRMvhjZePj6FvgEG4F5p3rzvtcO453fQRFTzc0fCwqDvR oDHgbYPtlV8PF1z1lTmAxfmg5vvDlGgeQkZVef/Ymxfr9EWHmOOc8sy8mJtFfm1nwUg8 /Tyx/tQjM/GOR20gpZTyK4EcNasUIO2citzgClTWA2qSC5EeQYRCFuDDJ40W057irzLP ckAw==
MIME-Version: 1.0
X-Received: by 10.180.74.162 with SMTP id u2mr16555032wiv.36.1374083873406; Wed, 17 Jul 2013 10:57:53 -0700 (PDT)
Received: by 10.217.38.138 with HTTP; Wed, 17 Jul 2013 10:57:53 -0700 (PDT)
In-Reply-To: <51E63EAA.8050606@treenet.co.nz>
References: <CE0AD74C.22464%Josh.Howlett@ja.net> <51E5428D.7010008@treenet.co.nz> <CAK3OfOg9JZbcnZhHSNrfSViNeV+wyctwYzSKhXpjGf3f_gP+VQ@mail.gmail.com> <51E632CB.9010107@treenet.co.nz> <alpine.LRH.2.01.1307162329540.26279@egate.xpasc.com> <51E63EAA.8050606@treenet.co.nz>
Date: Wed, 17 Jul 2013 12:57:53 -0500
Message-ID: <CAK3OfOiRan_m2SoWCSseNDHFo-QK6KtxVGgbKBXD90B=T3qbfA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Amos Jeffries <squid3@treenet.co.nz>
Cc: ietf-http-wg@w3.org
Content-Type: text/plain; charset="UTF-8"
Received-SPF: none client-ip=208.97.132.5; envelope-from=nico@cryptonector.com; helo=homiemail-a88.g.dreamhost.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.449, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: maggie.w3.org 1UzVzU-0003uw-8f 0e74f08a97199d65a7834b5edf33af69
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Authentication over HTTP
Archived-At: <http://www.w3.org/mid/CAK3OfOiRan_m2SoWCSseNDHFo-QK6KtxVGgbKBXD90B=T3qbfA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18831
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Wed, Jul 17, 2013 at 1:50 AM, Amos Jeffries <squid3@treenet.co.nz> wrote:
> On 17/07/2013 6:33 p.m., David Morris wrote:
>>   Oh, and no
>> logout mechanism to cancel browser caching of credentials?
>
>
> In the stateless HTTP "login" is done by delivering credentials or
> requesting them. But how *do* you "logout" in a stateless protocol? Nobody
> (self included) has produced anything like a good proposal spec for
> resolving that problem AFAIS.

HTTP is stateless.  The application protocol layered above HTTP
needn't be, and often isn't.  Session state is almost always desired,
though often with the client storing the state on behalf of the server
(via, e.g., encrypted state cookies, like TLS session tickets) though
there are trade-offs w.r.t. replay protection.

Nico
--

v2.14.0 | Report a Bug | By Email