IETF Logo Mail Archive

Re: Authentication over HTTP

Nico Williams <nico@cryptonector.com> Tue, 16 July 2013 17:35 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C6CC11E80D5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 16 Jul 2013 10:35:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.169
X-Spam-Level:
X-Spam-Status: No, score=-6.169 tagged_above=-999 required=5 tests=[AWL=3.808, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dI3laMiCAjBI for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 16 Jul 2013 10:34:56 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id B220D21E8054 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 16 Jul 2013 10:34:56 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Uz990-0005R3-5u for ietf-http-wg-dist@listhub.w3.org; Tue, 16 Jul 2013 17:34:34 +0000
Resent-Date: Tue, 16 Jul 2013 17:34:34 +0000
Resent-Message-Id: <E1Uz990-0005R3-5u@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1Uz98r-0005QC-TL for ietf-http-wg@listhub.w3.org; Tue, 16 Jul 2013 17:34:25 +0000
Received: from caiajhbdcbhh.dreamhost.com ([208.97.132.177] helo=homiemail-a86.g.dreamhost.com) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1Uz98r-0006LN-4r for ietf-http-wg@w3.org; Tue, 16 Jul 2013 17:34:25 +0000
Received: from homiemail-a86.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTP id 300F136006D for <ietf-http-wg@w3.org>; Tue, 16 Jul 2013 10:34:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=adfFV3pt0SrNEVcOrfJm bHnf9NE=; b=lRXAmcW2KEy3ff4Opy39mfXxImrAUU1MiVyO7G1uIhkfEYcDlZSG i1wpVMzcoe1ZR2bOGHvUaOl0KxWai3XffQnSgORE1iOJV0IPbrpJgLXyufo+PiB1 CfVXZ9+V3ng9JsJ9dao0toL7kALd+w+sTVwweV+U34gGf9X2MviXDB0=
Received: from mail-we0-f180.google.com (mail-we0-f180.google.com [74.125.82.180]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTPSA id CE64736006A for <ietf-http-wg@w3.org>; Tue, 16 Jul 2013 10:34:03 -0700 (PDT)
Received: by mail-we0-f180.google.com with SMTP id w56so902251wes.11 for <ietf-http-wg@w3.org>; Tue, 16 Jul 2013 10:34:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=iXbReB0ZYGcWMx1wbQ8hyVJ3A2qlVy63Z9J0z6v0mBM=; b=NMvQQXjLK9hlbjGucikb65KgAlhpqKYBxEwIRCbfWkBIe+VvDOROMZAkvm4XzFuJaS w+9KQyp/4vBAzcBWPAtEtrA4NHn8dFYNeHKD3MIFEH3JZ2QnA8ivUacE7MbM138uKSpi GCCOrrHv+8Z/ySmnHP9oFicX+YDL9OiJwSIBuDwiKuhK3mh3kF6jp9g08qv/fkgzbPVb BQ21V4IefIn1KFIDlnQWjjxKuTaTf5Kc4R0h1IyAW3953p8axZh8ctsUeqsYgD8lVWi5 NQwwZkhzYYsT+x47tQ+8NKE11J96O40f7h/nBaz/2YGVDnFzU614xomBPLVV0Qaq8FYy DqLw==
MIME-Version: 1.0
X-Received: by 10.194.240.169 with SMTP id wb9mr1940043wjc.90.1373996042468; Tue, 16 Jul 2013 10:34:02 -0700 (PDT)
Received: by 10.217.38.138 with HTTP; Tue, 16 Jul 2013 10:34:02 -0700 (PDT)
In-Reply-To: <51E5428D.7010008@treenet.co.nz>
References: <CE0AD74C.22464%Josh.Howlett@ja.net> <51E5428D.7010008@treenet.co.nz>
Date: Tue, 16 Jul 2013 12:34:02 -0500
Message-ID: <CAK3OfOg9JZbcnZhHSNrfSViNeV+wyctwYzSKhXpjGf3f_gP+VQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Amos Jeffries <squid3@treenet.co.nz>
Cc: ietf-http-wg@w3.org
Content-Type: text/plain; charset="UTF-8"
Received-SPF: none client-ip=208.97.132.177; envelope-from=nico@cryptonector.com; helo=homiemail-a86.g.dreamhost.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.449, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: lisa.w3.org 1Uz98r-0006LN-4r 1ff7ed398fb710e47dfcc9ba8d6d846a
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Authentication over HTTP
Archived-At: <http://www.w3.org/mid/CAK3OfOg9JZbcnZhHSNrfSViNeV+wyctwYzSKhXpjGf3f_gP+VQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18815
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Tue, Jul 16, 2013 at 7:54 AM, Amos Jeffries <squid3@treenet.co.nz> wrote:
> *Every single claim* that HTTP-auth is broken and needs re-designing seems
> to me to be based on the flawed assumption that HTTP-auth is not extensible
> and that the common existing schemes are the only ones HTTP permits. Or that
> somehow a user authenticating with N different and fragile mechanisms for
> one transaction is a good thing (I rather disagree, the UX on that would be
> tricky and implementation nightmares).

That's either a strawman or you misunderstood the arguments against
doing authentication in HTTP.  It's not that "HTTP auth is broken",
but that HTTP is the *wrong layer* -- that's not because HTTP or HTTP
auth is broken, but because properties of the stack of protocols
spoken make HTTP auth a problematic proposition.

BTW, I've not see any arguments about N different mechanisms (fragile
or not) being a problem.

Nico
--

v2.23.0 | Report a Bug | By Email