Re: [hybi] About authentication mechanism

Iñaki Baz Castillo <ibc@aliax.net> Wed, 29 June 2011 09:14 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33E2F21F862B for <hybi@ietfa.amsl.com>; Wed, 29 Jun 2011 02:14:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Level:
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EFeqZ33in9wf for <hybi@ietfa.amsl.com>; Wed, 29 Jun 2011 02:14:57 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id A5D0E21F8623 for <hybi@ietf.org>; Wed, 29 Jun 2011 02:14:57 -0700 (PDT)
Received: by qwc23 with SMTP id 23so845340qwc.31 for <hybi@ietf.org>; Wed, 29 Jun 2011 02:14:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.23.69 with SMTP id q5mr359429qcb.249.1309338897082; Wed, 29 Jun 2011 02:14:57 -0700 (PDT)
Received: by 10.229.240.15 with HTTP; Wed, 29 Jun 2011 02:14:57 -0700 (PDT)
In-Reply-To: <CABLsOLCDq_Hs6eLuouPQrjzZ9NwBKt=jGDyVmAhq9ttWSngv5w@mail.gmail.com>
References: <BANLkTinerv=Ua4d-ma+uPVJjF95U1U5iXg@mail.gmail.com> <BANLkTin4mWJgQm+pfyYRs_RhRkdMBfY_Og@mail.gmail.com> <BANLkTiksptqmTWftg7Ur98QQnp22QV7OLA@mail.gmail.com> <BANLkTimw8T4pZieBeCjaPQJ8oYWfbTjkmg@mail.gmail.com> <BANLkTikOzzHF1dGz-2-UwTC0kb2ZQd_0Jw@mail.gmail.com> <BANLkTimCTTCU4UFA7JFuBvDZSFv++UyGCA@mail.gmail.com> <BANLkTinWnTxkCh9BM_utX0=pxzE02DypuA@mail.gmail.com> <BANLkTi=LEOyhagpGZF9gTyLxGuqv5U64wmO_afwaw=eR=pVcPw@mail.gmail.com> <BANLkTinGb38bLyH20Q-QaP2jeDCfgYvENw@mail.gmail.com> <CABLsOLD-EWb=pQ33c9FSU3cu0JTGS5mc2-e5-oq-skfp7rzQhA@mail.gmail.com> <CALiegfnfWwqtWqHZ5GUCWMNdWODnV+fHNhn+fxpL49KQ=Fs8Fw@mail.gmail.com> <BANLkTi=CHoqCaTpBUyjokotR6F6tcfajcNedwQg0_ge0JRUYNQ@mail.gmail.com> <CALiegf=Y-kWG7piRnbDtKeh7Edj11OtQqHVCUq4N2_D1pXG8Qw@mail.gmail.com> <BANLkTim++ywp3fCM8YXuRkH41pUOLqbJZt1JhVdpdUcbJkaVmQ@mail.gmail.com> <CALiegfm8aCsnav51DC=h4DmH+F0DAJUk69D4bbv_0GtvDjw3tw@mail.gmail.com> <CABLsOLB17_BVH+mGG4PCvMo8hWSfc=BvuNgq8Rcbo5Mxm6k7Zg@mail.gmail.com> <CALiegfkcnUHbYB6MeQw3Vp+OadA-drUjWHqfjzrtd2Tp1VQCJA@mail.gmail.com> <CABLsOLCDq_Hs6eLuouPQrjzZ9NwBKt=jGDyVmAhq9ttWSngv5w@mail.gmail.com>
Date: Wed, 29 Jun 2011 11:14:57 +0200
Message-ID: <CALiegf=NVNgcfZEbxu+DzpCjwFFjK9dmOKYQOfX3KVQz92nRYQ@mail.gmail.com>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <ibc@aliax.net>
To: John Tamplin <jat@google.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: hybi@ietf.org, Greg Wilkins <gregw@intalio.com>
Subject: Re: [hybi] About authentication mechanism
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2011 09:14:58 -0000

2011/6/29 John Tamplin <jat@google.com>om>:
> I feel the same way, and this is my last response.

Mine also, I think this thread is long enough and opinions are already given.


> Some JS code is making a WS request.  It can use whatever mechanism it wants
> for obtaining the credentials from the user, and send them over the WS
> connection.

Which means authentication at pure JavaScript level. Dangerous IMHO.



> Feel free to suggest something that has broad consensus.  I haven't heard
> any such suggestion, nor have I heard anyone else beside you clamoring for
> it.

This is expected as, IMHO, most of this WG comes from WWW world in
which no one authentication standard has succedeed (HTTP auth is ugly
indeed) so custom authentication mechanism are mainly used.


-- 
Iñaki Baz Castillo
<ibc@aliax.net>