IETF Logo Mail Archive

Re: Authentication over HTTP

"Adrien W. de Croy" <adrien@qbik.com> Mon, 15 July 2013 23:22 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1E0A21F9D33 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 15 Jul 2013 16:22:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LPHQ85eKrU5X for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 15 Jul 2013 16:22:22 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 76BF421F9A83 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 15 Jul 2013 16:22:22 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Uys5E-0001qg-3X for ietf-http-wg-dist@listhub.w3.org; Mon, 15 Jul 2013 23:21:32 +0000
Resent-Date: Mon, 15 Jul 2013 23:21:32 +0000
Resent-Message-Id: <E1Uys5E-0001qg-3X@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <adrien@qbik.com>) id 1Uys56-0001oF-7i for ietf-http-wg@listhub.w3.org; Mon, 15 Jul 2013 23:21:24 +0000
Received: from smtp.qbik.com ([210.55.214.35]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <adrien@qbik.com>) id 1Uys54-00068P-Kb for ietf-http-wg@w3.org; Mon, 15 Jul 2013 23:21:24 +0000
Received: From SCREECH.qbik.local (unverified [192.168.0.4]) by SMTP Server [192.168.0.1] (WinGate SMTP Receiver v8.0.0 (Build 4588)) with SMTP id <0019785825@smtp.qbik.com>; Tue, 16 Jul 2013 11:20:53 +1200
Received: From [192.168.0.23] (unverified [192.168.0.23]) by SMTP Server [192.168.0.4] (WinGate SMTP Receiver v8.0.0 (Build 4588)) with SMTP id <0000250604@SCREECH.qbik.local>; Tue, 16 Jul 2013 11:20:52 +1200
From: "Adrien W. de Croy" <adrien@qbik.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>, M Stefan <mstefanro@gmail.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Date: Mon, 15 Jul 2013 23:20:52 +0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; format="flowed"; charset="utf-8"
In-Reply-To: <19433.1373846559@critter.freebsd.dk>
Message-Id: <emd15876f8-ce60-4304-a159-266e2aa9711f@bodybag>
Mime-Version: 1.0
Reply-To: "Adrien W. de Croy" <adrien@qbik.com>
User-Agent: eM_Client/5.0.18025.0
Received-SPF: pass client-ip=210.55.214.35; envelope-from=adrien@qbik.com; helo=smtp.qbik.com
X-W3C-Hub-Spam-Status: No, score=-3.6
X-W3C-Hub-Spam-Report: AWL=-3.247, RP_MATCHES_RCVD=-0.391, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1Uys54-00068P-Kb a92be3b49af3017b4c309b84f600ed9a
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Authentication over HTTP
Archived-At: <http://www.w3.org/mid/emd15876f8-ce60-4304-a159-266e2aa9711f@bodybag>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18795
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

for browser-based reverse proxy or serving I agree that current HTTP 
auth is next to useless.

However for forward proxying it is still useful and necessary.  And 
given we don't have TLS to proxy, then HTTP is the only possible layer 
for this.

Adrien


------ Original Message ------
From: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
To: "M Stefan" <mstefanro@gmail.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Sent: 15/07/2013 12:02:39 p.m.
Subject: Re: Authentication over HTTP
>In message <51E330F5.6050100@gmail.com>, M Stefan writes:
>
>>Nowadays, the only serious way of providing secure communications over
>>HTTP is using HTTPS. Many web hosts are reluctant to using it because
>>of the extra computational burden [...]
>
>I agree with you (if I understood your message right) that the
>current HTTP/1.1 authentication/password stuff is fundamentally
>useless and should not be carried into HTTP/2.0.
>
>I think HTTP/2.0 should make partial protection possible, (See my
>previous message :-) exactly so that the cost can be kept down.
>
>But I think that it would be a big mistake to involved HTTP/2.0 in
>the actual protection, to any extent further than to mark what needs
>protection and what does not.
>
>Authentication should happen either in the encrypting transport
>which moves HTTP/2.0 across (as in certificates and assymetric crypto)
>or in the application transported inside HTTP/2.0 (as in most web-site
>login dialogs), but HTTP/2.0 itself should not get involved: It
>is the wrong layer.
>
>--
>Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
>phk@FreeBSD.ORG | TCP/IP since RFC 956
>FreeBSD committer | BSD since 4.3-tahoe
>Never attribute to malice what can adequately be explained by 
>incompetence.
>

v2.23.0 | Report a Bug | By Email