IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Benjamin Black <b@b3k.us> Sat, 04 September 2010 06:12 UTC

Return-Path: <b@b3k.us>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F389B3A6809 for <hybi@core3.amsl.com>; Fri, 3 Sep 2010 23:12:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.862
X-Spam-Level:
X-Spam-Status: No, score=-0.862 tagged_above=-999 required=5 tests=[AWL=1.115, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Babo26X804tW for <hybi@core3.amsl.com>; Fri, 3 Sep 2010 23:12:36 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id 6B51C3A67D0 for <hybi@ietf.org>; Fri, 3 Sep 2010 23:12:36 -0700 (PDT)
Received: by wyi11 with SMTP id 11so2731473wyi.31 for <hybi@ietf.org>; Fri, 03 Sep 2010 23:13:05 -0700 (PDT)
Received: by 10.216.71.85 with SMTP id q63mr1534782wed.53.1283580785225; Fri, 03 Sep 2010 23:13:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.3.129 with HTTP; Fri, 3 Sep 2010 23:12:45 -0700 (PDT)
In-Reply-To: <AANLkTik5uJ4wxUV-gvRmAMBe=JjOa-2yaA7zpf+hznS_@mail.gmail.com>
References: <AANLkTinxTLuDEiS=XuyVHG1W+aizKHWk2Z4=LLqEHvC4@mail.gmail.com> <AANLkTik5uJ4wxUV-gvRmAMBe=JjOa-2yaA7zpf+hznS_@mail.gmail.com>
From: Benjamin Black <b@b3k.us>
Date: Fri, 03 Sep 2010 23:12:45 -0700
Message-ID: <AANLkTi=pD1tXjL4QV5p0Jf2WmSiGJ_7aVOthNnW8WB3u@mail.gmail.com>
To: ifette@google.com, hybi@ietf.org
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Sep 2010 06:12:38 -0000

I actually removed a sentence saying approximately "I don't see how
this matters to anyone but Google", but thought it too snarky.  Next
time I'll know!

My suggestion?  Use existing HTTP auth, since that is easier for
everyone else.  Implement alternative schemes in Chrome and for your
apps (the client side will know to use the Google auth mechanism, and
its use will tell the server what is going on).  I see no reason the 2
need be in conflict.  If the non-HTTP mechanisms prove to be a major
win, and there is general demand for them, contribute them to the WG.
The additional experience in implementation and operations will make
your arguments in their favor irresistible.

It is in the best interests of this work to start with a minimal set
of features, making as much use as possible of existing infrastructure
(in this case, mostly HTTP).


b

2010/9/3 Ian Fette (イアンフェッティ) <ifette@google.com>:
> As a general point, we (Google) are very concerned with initial latency. The
> addition of 50ms before an app is usable is nontrivial. I say that not to
> argue for or against the current handshake, but rather to push back against
> the notion that 50ms at startup doesn't matter. Time at startup is among the
> most important, we can often hide delays at other points.
>
> On Sep 3, 2010 10:08 PM, "Benjamin Black" <b@b3k.us> wrote:
>> The focus of the argument in favor of re-implementing authn in
>> Websockets mechanisms that already exist in HTTP is that the authn
>> process sometimes requires an extra round trip. One. Round. Trip.
>> Sometimes. The phrase you seek is "premature optimization".
>>
>> Instead of talking about it in the abstract of a single, extra round
>> trip, I ask when this is relevant. In cases where connections are
>> short-lived, intended for a single request/response, and credentials
>> can't be retained, this concern seems quite important. Since the
>> entire process is one round trip, adding another could add
>> considerable latency.
>>
>> Are Websockets intended for short-lived, request/reply applications?
>> If so, they are pointless as HTTP can handle these applications all on
>> its own.
>>
>> Are they intended for applications in which:
>> 1) a user is not already authenticated
>> OR
>> 2) the credentials can't be passed to the Websocket system to use in
>> authentication?
>>
>> Or, instead, are Websockets intended for long-running connections with
>> numerous round trips, often from applications that can collect
>> credentials and send them directly in the HTTP request that begins the
>> Websocket negotiation? And, if this is so, why are we obsessing over
>> a single round trip adding all of 50ms to initial connection setup
>> instead of recognizing the existing mechanisms are perfectly workable
>> _as is_? If, in the fullness of time and experience, we discover the
>> extra round trip is a serious impediment, we are free to design and
>> implement new mechanisms.
>>
>> File under: another confusing example of hybi efforts eschewing HTTP
>> mechanisms and HTTP compliance. If someone could elucidate that, I
>> would be grateful.
>>
>>
>> b
>> _______________________________________________
>> hybi mailing list
>> hybi@ietf.org
>> https://www.ietf.org/mailman/listinfo/hybi
>

v2.23.0 | Report a Bug | By Email