IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Eric Rescorla <ekr@rtfm.com> Mon, 30 August 2010 16:40 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8895D3A68DC for <hybi@core3.amsl.com>; Mon, 30 Aug 2010 09:40:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.576
X-Spam-Level:
X-Spam-Status: No, score=-101.576 tagged_above=-999 required=5 tests=[AWL=0.400, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3-DPviqT2eE6 for <hybi@core3.amsl.com>; Mon, 30 Aug 2010 09:40:31 -0700 (PDT)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id 5E60A3A6873 for <hybi@ietf.org>; Mon, 30 Aug 2010 09:40:31 -0700 (PDT)
Received: by bwz9 with SMTP id 9so4667120bwz.31 for <hybi@ietf.org>; Mon, 30 Aug 2010 09:41:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.204.126.153 with SMTP id c25mr3523702bks.27.1283186000321; Mon, 30 Aug 2010 09:33:20 -0700 (PDT)
Received: by 10.204.144.149 with HTTP; Mon, 30 Aug 2010 09:33:20 -0700 (PDT)
In-Reply-To: <4C7BDA8F.4080107@caucho.com>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com> <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com> <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com> <4C7BDA8F.4080107@caucho.com>
Date: Mon, 30 Aug 2010 09:33:20 -0700
Message-ID: <AANLkTinNr4Z27=BA1pyhT6g0id=O+-AqhE0d47vkGsp2@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: Scott Ferguson <ferg@caucho.com>
Content-Type: multipart/alternative; boundary="0016e6d7df8abadef3048f0d0560"
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Aug 2010 16:40:32 -0000

On Mon, Aug 30, 2010 at 9:21 AM, Scott Ferguson <ferg@caucho.com> wrote:

> John Tamplin wrote:
>
>> On Sun, Aug 29, 2010 at 11:01 PM, Greg Wilkins <gregw@webtide.com> wrote:
>>
>>
>>> From the point of view of a combined HTTP/websocket server, it would
>>> be simplest if we can just use existing mechanisms for things like
>>> BASIC, DIGEST, OAUTH, OpenID, acegi, NTML etc. etc.
>>> So while there may be better security mechanism that could be applied
>>> to websocket only client and servers, it would be unproductive to
>>> prohibit the use of existing security mechanism if a way can be found
>>> to use them.
>>>
>>>
>>
>> How many websites actually use HTTP Auth to protect the data?
>>
>
> Non-browser clients do. With Hessian (binary RPC over HTTP), HTTP auth is
> very typical.
>
> I'd prefer to build in WebSocket support to allow for a piggy-backed
> DIGEST-style authentication, allowing the server response to send its
> challenge and replace the clients first random bytes with an
> authentication/hello frame, which would be the DIGEST credentials.


Is the desire here:
(1) to actually have it use digest.
(2) to be digest password store compatible.
(3) to be password compatible and challenge/response

I ask because depending on the answer this is either an argument for or
against TLS-only.

-Ekr

v2.23.0 | Report a Bug | By Email