IETF Logo Mail Archive

HTTP2 Expression of Interest

Paul Hoffman <paul.hoffman@gmail.com> Fri, 13 July 2012 02:24 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4261011E8085 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 12 Jul 2012 19:24:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9jYFTXDQDT2i for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 12 Jul 2012 19:24:20 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id A781D11E8072 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 12 Jul 2012 19:24:20 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1SpVWy-000872-SS for ietf-http-wg-dist@listhub.w3.org; Fri, 13 Jul 2012 02:22:56 +0000
Resent-Date: Fri, 13 Jul 2012 02:22:56 +0000
Resent-Message-Id: <E1SpVWy-000872-SS@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <paul.hoffman@gmail.com>) id 1SpVWr-00086H-LD for ietf-http-wg@listhub.w3.org; Fri, 13 Jul 2012 02:22:49 +0000
Received: from mail-vc0-f171.google.com ([209.85.220.171]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <paul.hoffman@gmail.com>) id 1SpVWq-0003Ur-ND for ietf-http-wg@w3.org; Fri, 13 Jul 2012 02:22:49 +0000
Received: by vcbgb30 with SMTP id gb30so2210367vcb.2 for <ietf-http-wg@w3.org>; Thu, 12 Jul 2012 19:22:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=XyPKGVUgafPKslu9ev0zp/M4ntKHHS4CvQ+AKmhvXaU=; b=StVDKFL6i8WkmxfDdz+klJoNBkWnzXK6Yg1iULab6YmyltbvPcK/ZtOq79+ewQoGxH 7v1IepQzMXRO4D3FYFVM9Ot+HG2Vq/w1ch8rQXbZAioCqgfWvTAc0UcCApMjYCc+t0gH Tdi7H9rWLgCyse3bnKku9dHTRaflm4xT7vm4EdAcCaeCTcIkllOl5SvGAdAzReE39Fn4 1gK0dmlSeJoM5sBenLprF9BDYtKcuW5c2hczc0bB5EGLRD4CxbQHsAYzq+EUm3riJp3+ U1FqWHnJ+QH+AdFVVDRA909r67vw2XTRjhgmhDjgyWuefUA9ydt5q+2CbzN0qW3F8v4o 09CA==
MIME-Version: 1.0
Received: by 10.221.11.197 with SMTP id pf5mr285597vcb.29.1342146142850; Thu, 12 Jul 2012 19:22:22 -0700 (PDT)
Received: by 10.58.244.196 with HTTP; Thu, 12 Jul 2012 19:22:22 -0700 (PDT)
Date: Thu, 12 Jul 2012 19:22:22 -0700
Message-ID: <CAPik8ybB-pzn8M3JVJJtpZK-DHEW8amsw_kjbLNQSNQ4dkjeLQ@mail.gmail.com>
From: Paul Hoffman <paul.hoffman@gmail.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.220.171; envelope-from=paul.hoffman@gmail.com; helo=mail-vc0-f171.google.com
X-W3C-Hub-Spam-Status: No, score=-2.7
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1SpVWq-0003Ur-ND 0592784dcf4ded5a0340627b81d54d79
X-Original-To: ietf-http-wg@w3.org
Subject: HTTP2 Expression of Interest
Archived-At: <http://www.w3.org/mid/CAPik8ybB-pzn8M3JVJJtpZK-DHEW8amsw_kjbLNQSNQ4dkjeLQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/14125
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Greetings again. I am not an implementer or a deployer. I am making
this statement of interest as Just Some Person. Please take these
comments in that light relative to those from implementers and
deployers.

Given what we know about users inability to choose good passwords and
their lack of ability to use good passwords that are chosen for them,
it is incredibly important that a non-password authentication
mechanism be described for HTTP 2. Thus, I support HOBA or something
HOBA-like. The HOBA proposal as it stands has a lot of significant
issues, but the idea of portable origin-bound certificates for HTTP
clients is the correct way to do non-password authentication for HTTP.
draft-williams-rest-gss relies on GSSAPI, which has thin adoption even
after many years. draft-montenegro-httpbis-multilegged-auth is an
interesting way to get non-password authentication (and NTLM!) into
HTTP, but I suspect that not having a mandatory authentication
mechanism that is widely supported will mean that this document will
go unimplemented.

At least one password-based authentication mechanism should also be
standardized for HTTP 2. Of these, draft-oiwa-httpbis-mutualauth and
draft-oiwa-httpbis-auth-extension seem to solve more of the problems
with passwords than draft-melnikov-httpbis-scram-auth.

I am willing to contribute to and review proposals for non-password
authentication. I am willing to provide a bit of late review to a
password-based proposal.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email