IETF Logo Mail Archive

Re: Authentication over HTTP

Nico Williams <nico@cryptonector.com> Tue, 16 July 2013 06:28 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BC2B11E80E2 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 15 Jul 2013 23:28:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.024
X-Spam-Level:
X-Spam-Status: No, score=-6.024 tagged_above=-999 required=5 tests=[AWL=3.953, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uLNtjFnLGFqk for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 15 Jul 2013 23:28:06 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 8715111E80A2 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 15 Jul 2013 23:28:06 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Uyyjo-0005qM-Kw for ietf-http-wg-dist@listhub.w3.org; Tue, 16 Jul 2013 06:27:52 +0000
Resent-Date: Tue, 16 Jul 2013 06:27:52 +0000
Resent-Message-Id: <E1Uyyjo-0005qM-Kw@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1Uyyjg-0005pR-3l for ietf-http-wg@listhub.w3.org; Tue, 16 Jul 2013 06:27:44 +0000
Received: from caiajhbdcaib.dreamhost.com ([208.97.132.81] helo=homiemail-a96.g.dreamhost.com) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1Uyyjf-0001TB-D7 for ietf-http-wg@w3.org; Tue, 16 Jul 2013 06:27:44 +0000
Received: from homiemail-a96.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a96.g.dreamhost.com (Postfix) with ESMTP id 77EF03B805B for <ietf-http-wg@w3.org>; Mon, 15 Jul 2013 23:26:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=G0tNivuko3Dhrmj7j9mx ilBIdAU=; b=a2yrLRWkyeVkfIl1RH13ATVkmVX+LbbuRzKFfrpQZZsU7nuJkT5L qqJEQd5gJOMzyP3xKuhjV3hPOiyC2PRW4CZ4UisQretmzLEW17bzNfRxxhQFdD7u Yl8JO+b+Qsr3IesyiDkB67LLKTnRzrBscqlrcyQYPP4pBF7+4Li1M1o=
Received: from mail-wg0-f51.google.com (mail-wg0-f51.google.com [74.125.82.51]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a96.g.dreamhost.com (Postfix) with ESMTPSA id 1BB4E3B8059 for <ietf-http-wg@w3.org>; Mon, 15 Jul 2013 23:26:55 -0700 (PDT)
Received: by mail-wg0-f51.google.com with SMTP id e11so232812wgh.30 for <ietf-http-wg@w3.org>; Mon, 15 Jul 2013 23:26:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=00VzdMqGpjVWx8yPyZN+ev75K//f0fER7lNAv2dv2Q0=; b=LwAalfqXW/elSUq+BHSRfIwyFFPUwn0rq4TkPDnzcIrTqmCdTHJ0mmhEchxe0S1sza 056Q5AO1vSe4mgoEkWpERFYb58vl1wNONje0PjRp0b1TtSV0scSCLJ3e38j8IQBGBaMX LhmuOfErT4ZsL/+4+RdQkSP3OgF7NASnTQV+lwoi0vo+CpAyWBIVe3JQt+Nt1/KBH43e O069fKyfW6ykw4l0PgTekJ15lvqPdO+m27/cBYsrjg0JWPX7so2WRaMx2cimx6abrv8y fZfqllEFRzfn4TWBko5M/quNUvs4DBJpLwI8urKb4Q7Vy/iKiVqIXc9vi3g6MetWdcFS MD/w==
MIME-Version: 1.0
X-Received: by 10.180.74.197 with SMTP id w5mr11221815wiv.20.1373956014694; Mon, 15 Jul 2013 23:26:54 -0700 (PDT)
Received: by 10.217.38.138 with HTTP; Mon, 15 Jul 2013 23:26:54 -0700 (PDT)
In-Reply-To: <19433.1373846559@critter.freebsd.dk>
References: <51E330F5.6050100@gmail.com> <19433.1373846559@critter.freebsd.dk>
Date: Tue, 16 Jul 2013 01:26:54 -0500
Message-ID: <CAK3OfOjeOLDHbSpcwXd9SAzDqfigxaCsTZp7LXAD6R-2oCCgtw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: M Stefan <mstefanro@gmail.com>, ietf-http-wg@w3.org
Content-Type: text/plain; charset="UTF-8"
Received-SPF: none client-ip=208.97.132.81; envelope-from=nico@cryptonector.com; helo=homiemail-a96.g.dreamhost.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.449, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: maggie.w3.org 1Uyyjf-0001TB-D7 6a26dba907451e3549ba3737a9fb6b87
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Authentication over HTTP
Archived-At: <http://www.w3.org/mid/CAK3OfOjeOLDHbSpcwXd9SAzDqfigxaCsTZp7LXAD6R-2oCCgtw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18798
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Sun, Jul 14, 2013 at 7:02 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
> Authentication should happen either in the encrypting transport
> which moves HTTP/2.0 across (as in certificates and assymetric crypto)
> or in the application transported inside HTTP/2.0 (as in most web-site
> login dialogs), but HTTP/2.0 itself should not get involved:  It
> is the wrong layer.

I agree.  Thus my proposal for RESTful authentication (with channel
binding to TLS where available).  I don't believe user authentication
in TLS will work out too well (it hasn't so far, and there are reasons
why it should prove difficult; see my reply to Yoav's reply to
Stefan).

Nico
--

v2.14.0 | Report a Bug | By Email