Re: [hybi] Authentication headers
Wellington Fernando de Macedo <wfernandom2004@gmail.com> Wed, 21 July 2010 23:55 UTC
Return-Path: <wfernandom2004@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 056363A6840 for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 16:55:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_35=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Av0YvH9pgSIe for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 16:55:56 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id D10263A6809 for <hybi@ietf.org>; Wed, 21 Jul 2010 16:55:55 -0700 (PDT)
Received: by qwe5 with SMTP id 5so3121236qwe.31 for <hybi@ietf.org>; Wed, 21 Jul 2010 16:56:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=qke9/MxlHroWAuM70KooJWeJ6BDpnULoEJcQ3tfm+Nc=; b=D9BuMDuqdTxTNyDvj+DEBuKh7GT9Ilf+NYptr3go9TJnDUQ0Z4Z9Ssp6729G9yDQQ4 aPMqSFkoZEXRF+dwVh4Sv9o72DlSFM8BVLG/QZd52vuCvv1/OzWp4NQQUBNQc4gUixTA VqcxXVrDh5GqQ3zgiG5mn8cDjs8O1H8BrJLnM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=uFBB+9werfr/Q74O0hZbFTsBh9ix+EE/ekIQtmdXLW4ziQ2ByAVpGLRk6ZH8aIK/A9 QVN6ko5oI3stwgXKsugKxRkgjlmIqI/AFPsL2yKdrWeVzZRhw5GaJ3gk3OA/p6RP7Kzt jwZoLgDzX/pfaFfcHw9lWsDbczrkDslYpZsR4=
MIME-Version: 1.0
Received: by 10.224.78.233 with SMTP id m41mr800637qak.27.1279756571945; Wed, 21 Jul 2010 16:56:11 -0700 (PDT)
Received: by 10.229.55.10 with HTTP; Wed, 21 Jul 2010 16:56:11 -0700 (PDT)
In-Reply-To: <AANLkTimSy0E9HYDGrklyZbnxFqjIaRhfjcJiPNN4EhqD@mail.gmail.com>
References: <AANLkTimo9g4Tvzd1RekVXKtTpOhRz58jr7VLqhS-Wrdf@mail.gmail.com> <Pine.LNX.4.64.1007210653190.7242@ps20323.dreamhostps.com> <AANLkTimSy0E9HYDGrklyZbnxFqjIaRhfjcJiPNN4EhqD@mail.gmail.com>
Date: Wed, 21 Jul 2010 20:56:11 -0300
Message-ID: <AANLkTikkI7jHwUu1U1gAS660hqDhaBEVHF-yaAsk5V1l@mail.gmail.com>
From: Wellington Fernando de Macedo <wfernandom2004@gmail.com>
To: Greg Wilkins <gregw@webtide.com>
Content-Type: multipart/alternative; boundary="00c09f99e454dead71048bee8b55"
Cc: hybi@ietf.org
Subject: Re: [hybi] Authentication headers
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jul 2010 23:55:57 -0000
*> For example, the only authentication scheme that would work and be secure is Basic auth > over TLS to the same host as served the HTML page. In practice, only very > few sites use that combination of technologies; the cost of supporting it > seems higher than the benefit gained from it.* Well, where I last worked it used TLS+Basic Auth (using PAM). This is very useful, sure :) * > There are also a number of situations where it > would seem that it should work but where it won't* If it is true, then http auth should be removed at all. The Mozilla's implementation shares the ws credentials with the http ones (using the origin). So it isn't a problem. I think that removing http auth should be horribly bad. Similarly I think denying websockets from using it isn't a good thing either. *> Sure there are other ways than using headers, but the fact remains that many implementations do use headers > and I see no reason to break those implementation nor prevent their usage with websocket.* Actually I don't see any reasons to prevent these headers. Regards, Wellington. 2010/7/21 Greg Wilkins <gregw@webtide.com> > > > On 21 July 2010 17:01, Ian Hickson <ian@hixie.ch> wrote: > >> Cookies are supported because they are >> _very_ widely used, so there's something to reuse. HTTP auth is used so >> rarely that I'd seriously consider dropping it from HTTP at this point; I >> really don't think it's worth adding to WebSockets. >> > > > HTTP headers are frequently used for authentication mechanisms that are > neither the standard HTTP ones, nor plain simple cookies. For example many > OAUTH implementations allow tokens to be negotiated using HTTP headers. > > Sure there are other ways than using headers, but the fact remains that > many implementations do use headers and I see no reason to break those > implementation nor prevent their usage with websocket. > > > > >
- [hybi] Authentication headers Wellington Fernando de Macedo
- Re: [hybi] Authentication headers Wellington Fernando de Macedo
- Re: [hybi] Authentication headers Ian Hickson
- Re: [hybi] Authentication headers Daniel Stenberg
- Re: [hybi] Authentication headers Greg Wilkins
- Re: [hybi] Authentication headers Wellington Fernando de Macedo
- Re: [hybi] Authentication headers Wellington Fernando de Macedo
- Re: [hybi] Authentication headers Wellington Fernando de Macedo
- Re: [hybi] Authentication headers Greg Wilkins