IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Hector Santos <hsantos@isdg.net> Mon, 30 August 2010 03:36 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 12A813A690E for <hybi@core3.amsl.com>; Sun, 29 Aug 2010 20:36:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.385
X-Spam-Level:
X-Spam-Status: No, score=-4.385 tagged_above=-999 required=5 tests=[AWL=-1.786, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YiAR5+cApVzS for <hybi@core3.amsl.com>; Sun, 29 Aug 2010 20:36:40 -0700 (PDT)
Received: from mail3.winserver.com (mail3.winserver.com [208.247.131.15]) by core3.amsl.com (Postfix) with ESMTP id 9ED9D3A6908 for <hybi@ietf.org>; Sun, 29 Aug 2010 20:36:39 -0700 (PDT)
Received: by winserver.com (Wildcat! SMTP Router v6.3.453.4) for hybi@ietf.org; Sun, 29 Aug 2010 23:37:23 -0400
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v6.3.453.4) with ESMTP id 2757471312; Sun, 29 Aug 2010 23:37:22 -0400
Received: by beta.winserver.com (Wildcat! SMTP Router v6.3.453.2) for hybi@ietf.org; Sun, 29 Aug 2010 23:35:28 -0400
Received: from [192.168.1.101] ([99.3.147.93]) by beta.winserver.com (Wildcat! SMTP v6.3.453.2) with ESMTP id 3345572969; Sun, 29 Aug 2010 23:35:27 -0400
Message-ID: <4C7B2769.4060407@isdg.net>
Date: Sun, 29 Aug 2010 23:37:13 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: hybi <hybi@ietf.org>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com> <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com>
In-Reply-To: <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Aug 2010 03:36:42 -0000

Greg Wilkins wrote:
> John,
> 
> From the point of view of a combined HTTP/websocket server, it would
> be simplest if we can just use existing mechanisms for things like
> BASIC, DIGEST, OAUTH, OpenID, acegi, NTML etc. etc.

It sounds like it might be simple, but it must be explored. The 
methods are drastically different in its human login I/O method.

> So while there may be better security mechanism that could be applied
> to websocket only client and servers, it would be unproductive to
> prohibit the use of existing security mechanism if a way can be found
> to use them.

The issue we found are mix authentication issues with similar dual or 
multi-channel client connections. This is a session management issue 
that has to be controlled and secured by the hosting server.

I think the better question is if we think allowing websocket for HTTP 
AUTH authentication is useful and that would include the browser 
websocket response 401 detection to popup the browser HTTP AUTH based 
login box.

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

v2.23.0 | Report a Bug | By Email