IETF Logo Mail Archive

Re: Authentication over HTTP

Nico Williams <nico@cryptonector.com> Wed, 17 July 2013 18:02 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83AD021F9C53 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Jul 2013 11:02:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.307
X-Spam-Level:
X-Spam-Status: No, score=-6.307 tagged_above=-999 required=5 tests=[AWL=3.670, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A3DUF88YcDX2 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Jul 2013 11:02:10 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id B502921F9AD6 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 17 Jul 2013 11:02:10 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UzW2e-0004wU-2Z for ietf-http-wg-dist@listhub.w3.org; Wed, 17 Jul 2013 18:01:32 +0000
Resent-Date: Wed, 17 Jul 2013 18:01:32 +0000
Resent-Message-Id: <E1UzW2e-0004wU-2Z@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1UzW2V-0004dL-FE for ietf-http-wg@listhub.w3.org; Wed, 17 Jul 2013 18:01:23 +0000
Received: from caiajhbdccah.dreamhost.com ([208.97.132.207] helo=homiemail-a36.g.dreamhost.com) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1UzW2U-0007fl-6G for ietf-http-wg@w3.org; Wed, 17 Jul 2013 18:01:23 +0000
Received: from homiemail-a36.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a36.g.dreamhost.com (Postfix) with ESMTP id 2F6A477805F for <ietf-http-wg@w3.org>; Wed, 17 Jul 2013 11:01:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=ea4qlM9dnDXgQdsiWC/c i6jSLUQ=; b=RvG2fPiG9lUsd1rFcM678DIASs2j9BqBSzH0wEo5HJ5VKRzZiJ66 eyZxjphDQk7BZ+WuLZhiJXybsANrFUieN8tgzieUlodXSGjgalK2CJj7MbIIhh4A FHsgJc8RvWNIUw6DabCot3pr0zWMy1yPDsuaEvFE7APWp8jhsoudZAY=
Received: from mail-wg0-f41.google.com (mail-wg0-f41.google.com [74.125.82.41]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a36.g.dreamhost.com (Postfix) with ESMTPSA id C6C08778057 for <ietf-http-wg@w3.org>; Wed, 17 Jul 2013 11:01:00 -0700 (PDT)
Received: by mail-wg0-f41.google.com with SMTP id y10so5006405wgg.0 for <ietf-http-wg@w3.org>; Wed, 17 Jul 2013 11:00:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=VvB2sYdNeRNNEejv3zdL/Tu1a0OcttlznMplQUC4Gmk=; b=ZnQMb7N3kVean7wPg+9CD4lY7Uor1APTWWZRvKN2tXYH1CZrQuY236yVIsr9/4L5sc TM0sESA43jdJy+R+1xCxWDCAscKxBPjK6DxWnic9rDqwY6BmMNde326mCnWfb9gsga/k mqq0v9nkrfqVkibJjZY43Br7jqgc0pw0tgEpqC6SN5lxNIiqSXbrsASiTW6xSDWrtTmd bGhk6GU6wL33c7ICQmeFin6N6a8ndqaMQOt7GZs475wlO2SufHoGJmCuOV8WMGXlUneP 0yh2C16/HVXtu7BO68mwNfKxrduC/xWKM02QLTeVbbWcuOOynHioHg5FjiwNKgQrL9uM cooQ==
MIME-Version: 1.0
X-Received: by 10.180.185.176 with SMTP id fd16mr5538195wic.20.1374084059437; Wed, 17 Jul 2013 11:00:59 -0700 (PDT)
Received: by 10.217.38.138 with HTTP; Wed, 17 Jul 2013 11:00:59 -0700 (PDT)
In-Reply-To: <51E632CB.9010107@treenet.co.nz>
References: <CE0AD74C.22464%Josh.Howlett@ja.net> <51E5428D.7010008@treenet.co.nz> <CAK3OfOg9JZbcnZhHSNrfSViNeV+wyctwYzSKhXpjGf3f_gP+VQ@mail.gmail.com> <51E632CB.9010107@treenet.co.nz>
Date: Wed, 17 Jul 2013 13:00:59 -0500
Message-ID: <CAK3OfOhci7-uNWsSG-54WH1GVkPRVivPdX6eiGmokL-=9paBzw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Amos Jeffries <squid3@treenet.co.nz>
Cc: ietf-http-wg@w3.org
Content-Type: text/plain; charset="UTF-8"
Received-SPF: none client-ip=208.97.132.207; envelope-from=nico@cryptonector.com; helo=homiemail-a36.g.dreamhost.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.449, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: lisa.w3.org 1UzW2U-0007fl-6G 8f5dfdb638abe188dc05aadfbbac0378
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Authentication over HTTP
Archived-At: <http://www.w3.org/mid/CAK3OfOhci7-uNWsSG-54WH1GVkPRVivPdX6eiGmokL-=9paBzw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18833
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Wed, Jul 17, 2013 at 12:59 AM, Amos Jeffries <squid3@treenet.co.nz> wrote:
> On 17/07/2013 5:34 a.m., Nico Williams wrote:
>> On Tue, Jul 16, 2013 at 7:54 AM, Amos Jeffries <squid3@treenet.co.nz>
>> wrote:
>>> *Every single claim* that HTTP-auth is broken and needs re-designing
>>> seems
>>> to me to be based on the flawed assumption that HTTP-auth is not
>>> extensible
>>> and that the common existing schemes are the only ones HTTP permits. Or
>>> that
>>> somehow a user authenticating with N different and fragile mechanisms for
>>> one transaction is a good thing (I rather disagree, the UX on that would
>>> be
>>> tricky and implementation nightmares).
>>
>> That's either a strawman or you misunderstood the arguments against
>> doing authentication in HTTP.  It's not that "HTTP auth is broken",
>> but that HTTP is the *wrong layer* -- that's not because HTTP or HTTP
>> auth is broken, but because properties of the stack of protocols
>> spoken make HTTP auth a problematic proposition.
>>
>> BTW, I've not see any arguments about N different mechanisms (fragile
>> or not) being a problem.
>
> Maybe I have been misunderstanding some of them. But the auth proposals I've
> seen in the last few years all seem to fall into three brackets with regards
> to their claims about HTTP:

But you don't even list here the argument you listed above, nor give
examples.  Why argue about this anyways?  You and I seem to agree:

> 1) "HTTP auth is broken". Aka "do it all in payload entities and have HTTP
> endpoints interpret those" ... well so what? payload format is not HTTP.
> Good luck but go away and do it at a different layer.

Yes, do it at a different layer: that's my answer.

> 2) "HTTP auth is broken". Aka the headers dont let me login user X to proxy
> A and proxy B at the same time, in the same chain, with different
> credentials all controlled by user X ... seem to be making a few wrong
> assumptions about how HTTP works there. Go away and do (1) instead the
> user-application ha sa lot more control over end-to-end pathways in
> application layer.

Oh, I'd never seen this argument.  This is an interesting one because
authentication to proxies is very interesting.  So this one is
definitely a legitimate argument, and one I would make.  Also, this
means I have to think about proxy auth for RESTauth (well, it's
straightforward, but I have to add it).  This is very helpful, thanks!

> 3) "HTTP auth is broken". Aka its missing a scheme to do mechanism Z ... and
> we do see these followed by specs to do Z in HTTP. But none of them are
> exactly replacing the existing HTTP mechanism design, just extending it as
> it was intended to be extended.
>
> What am I missing?

At least the argument you'd made above:

>>> *Every single claim* that HTTP-auth is broken and needs re-designing
>>> seems
>>> to me to be based on the flawed assumption that HTTP-auth is not
>>> extensible
>>> and that the common existing schemes are the only ones HTTP permits. Or
>>> that
>>> somehow a user authenticating with N different and fragile mechanisms for
>>> one transaction is a good thing (I rather disagree, the UX on that would
>>> be
>>> tricky and implementation nightmares).

I've never seen that argument.

v2.23.0 | Report a Bug | By Email