Re: draft-ietf-httpbis-http2-01, "4.2.3 Authentication"
"Nicolas Mailhot" <nicolas.mailhot@laposte.net> Wed, 06 March 2013 15:24 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8892D11E8137 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 6 Mar 2013 07:24:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lsVN6BO3qs79 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 6 Mar 2013 07:24:53 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 4333721F8A7E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 6 Mar 2013 07:24:49 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UDGBM-00064D-09 for ietf-http-wg-dist@listhub.w3.org; Wed, 06 Mar 2013 15:23:04 +0000
Resent-Date: Wed, 06 Mar 2013 15:23:04 +0000
Resent-Message-Id: <E1UDGBM-00064D-09@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <nicolas.mailhot@laposte.net>) id 1UDGBA-00063C-Da for ietf-http-wg@listhub.w3.org; Wed, 06 Mar 2013 15:22:52 +0000
Received: from smtpout6.laposte.net ([193.253.67.231] helo=smtpout.laposte.net) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <nicolas.mailhot@laposte.net>) id 1UDGB5-0004Vo-Mr for ietf-http-wg@w3.org; Wed, 06 Mar 2013 15:22:52 +0000
Received: from arekh.dyndns.org ([88.174.226.208]) by mwinf8511-out with ME id 8FNL1l0084WQcrc03FNLKu; Wed, 06 Mar 2013 16:22:21 +0100
Received: from localhost (localhost [127.0.0.1]) by arekh.dyndns.org (Postfix) with ESMTP id 121F72E23C4; Wed, 6 Mar 2013 16:22:20 +0100 (CET)
X-Virus-Scanned: amavisd-new at arekh.dyndns.org
Received: from arekh.dyndns.org ([127.0.0.1]) by localhost (arekh.okg [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0-pcIpp-IhMz; Wed, 6 Mar 2013 16:22:18 +0100 (CET)
Received: from arekh.dyndns.org (localhost [127.0.0.1]) by arekh.dyndns.org (Postfix) with ESMTP; Wed, 6 Mar 2013 16:22:18 +0100 (CET)
Received: from 192.196.142.21 (SquirrelMail authenticated user nim) by arekh.dyndns.org with HTTP; Wed, 6 Mar 2013 16:22:18 +0100
Message-ID: <f2d283415da2064c13e3329a3092eb3d.squirrel@arekh.dyndns.org>
In-Reply-To: <51375345.5040003@gmx.de>
References: <51365743.5030409@gmx.de> <loom.20130306T142826-187@post.gmane.org> <51375345.5040003@gmx.de>
Date: Wed, 06 Mar 2013 16:22:18 +0100
From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Nicolas Mailhot <nicolas.mailhot@laposte.net>, ietf-http-wg@w3.org
User-Agent: SquirrelMail/1.4.22-10.fc19
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Received-SPF: pass client-ip=193.253.67.231; envelope-from=nicolas.mailhot@laposte.net; helo=smtpout.laposte.net
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=-2.804, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.628, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UDGB5-0004Vo-Mr a10c975909787c7790a4e6184c3da6cf
X-Original-To: ietf-http-wg@w3.org
Subject: Re: draft-ietf-httpbis-http2-01, "4.2.3 Authentication"
Archived-At: <http://www.w3.org/mid/f2d283415da2064c13e3329a3092eb3d.squirrel@arekh.dyndns.org>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/16976
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Le Mer 6 mars 2013 15:31, Julian Reschke a écrit : > On 2013-03-06 14:52, Nicolas Mailhot wrote: >> Hi, >> >> Unless I've missed something, the draft as it stands does not answer the >> following questions: >> ... >> Surely, HTTP2-FL can do better than this > > It seems to me that all you said applies to HTTP/1.1 as well. Sure, however HTTP/1.1 does not include all the streaming/framing infrastructure that begs to be used to resolve this issue. It seems to me that it only arose because HTTP/1 was "too simple" to cope with such uses. > My > understanding was that how authentication works should be orthogonal to > the HTTP message format, and thus whatever needs to be fixed should be > fixed for both message formats. Actually, basic auth over ssl is good enough now for most uses. No need to invent new auth schemes. What's not good enough is transporting the credential to the intermediary. And that is more an HTTP transport problem than an http-auth WG problem IMHO. Also, you need to keep some relationship between the intermediated streams and the associated auth, so it can't be solved without some protocol support (or, you end up authorising client IPs, which sucks from a security point of view, and is not reliable when clients connection to the network switches from wifi to wire to whatever else is going to exist in the future) > As such, I would expect this to be > material for the new http-auth WG. Honestly, I think that at this point of time, fixing in HTTP/1 would be nice but should not block fixing in HTTP/2. I doubt any fix in HTTP/1 would be picked up by HTTP/1 intermediary manufacturers without major reving-up, which will make 'fixed HTTP/1 intermediary' as expensive as 'working-by-default HTTP/2'. So most intermediary users will go the HTTP/2 intermediary route anyway (as long as major browsers support HTTP/2 and HTTP/2 allows HTTP/2-intermediary to HTTP/1 site use). So the priority should be *not* to propagate this HTTP/1 problem to HTTP/2, and have it just work in HTTP/2 by default. (I know intermediary issues have been a pain to SPDY proponents, but intermediaries would be enthusiastic adopters of HTTP/2 if it solved their HTTP/1 problems. And since intermediaries are centralised by nature, they're much easier to redeploy than changing countless web sites to use HTTP/2) Best regards, -- Nicolas Mailhot
- draft-ietf-httpbis-http2-01, "4.2.3 Authenticatio… Julian Reschke
- Re: draft-ietf-httpbis-http2-01, "4.2.3 Authentic… Nicolas Mailhot
- Re: draft-ietf-httpbis-http2-01, "4.2.3 Authentic… Julian Reschke
- Re: draft-ietf-httpbis-http2-01, "4.2.3 Authentic… Nicolas Mailhot