Re: [hybi] WebSocket handshake (HTTP and SSO)
Scott Ferguson <ferg@caucho.com> Mon, 30 August 2010 22:12 UTC
Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 26D1C3A6897 for <hybi@core3.amsl.com>; Mon, 30 Aug 2010 15:12:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.516
X-Spam-Level:
X-Spam-Status: No, score=-2.516 tagged_above=-999 required=5 tests=[AWL=0.083, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JLx7XwPIaakI for <hybi@core3.amsl.com>; Mon, 30 Aug 2010 15:12:01 -0700 (PDT)
Received: from smtp112.biz.mail.re2.yahoo.com (smtp112.biz.mail.re2.yahoo.com [66.196.116.97]) by core3.amsl.com (Postfix) with SMTP id A131C3A6887 for <hybi@ietf.org>; Mon, 30 Aug 2010 15:12:01 -0700 (PDT)
Received: (qmail 58428 invoked from network); 30 Aug 2010 22:12:32 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp112.biz.mail.re2.yahoo.com with SMTP; 30 Aug 2010 15:12:32 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: hhxtxeoVM1n1Hdr5jUiBD8ted6NhZzOqLAFf7NAY5pRLlGG ginx61q1pnD.SCM4gIUbkURvfGQP993_XhKe0C.U2w_TXOtYDknPherOnxPh mp9S7Da8Nq.XKBJBJrzdjwFlchcnLPsN37e3YsbbKQzDQcnhLCl8uYce_piV .9DKOq_IR_Goj5zVEwWSxYstFA8uc4EyXyG3LtYG8BdF6ZkbIjsULFp6ihgu VyPjOU4E4.k8xkR07r9.RkFBbP.mxMHjzcF59J5_KiQsbceDqg3ufRbbdVIr UErSz046Ow9ClKI78ZmELZoOje3.tSJpRF7fQivG77QddYJqQIcTHujHYPnD SxIoeBD_1xwf00RtUBrTuGjSEBXse_liklMp07N63CvW2GrqpJKjuJS0CYZK CBY3OESkEQDnPSk12YFhURAzZtqTglnw8Xu5mlmyv2fM92ZXqL06mZqhy0dZ f.D13xlOT
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4C7C2CCA.2060106@caucho.com>
Date: Mon, 30 Aug 2010 15:12:26 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Greg Wilkins <gregw@webtide.com>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com> <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com> <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com> <4C7BDA8F.4080107@caucho.com> <4C7BF060.7070501@isdg.net> <AANLkTim=yKrVkRFhJow=+C91_Pfe6UsyyY3G-4i+o4fZ@mail.gmail.com>
In-Reply-To: <AANLkTim=yKrVkRFhJow=+C91_Pfe6UsyyY3G-4i+o4fZ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Aug 2010 22:12:03 -0000
Greg Wilkins wrote: > On 31 August 2010 03:54, Hector Santos <hsantos@isdg.net> wrote: > >> Scott Ferguson wrote: >> >>> If we just punt and make applications write their own authentication >>> instead of piggybacking on the handshake, it would cost an extra round trip. >>> >> But you also can't prevent this >> > > +1 > > The handshake is a HTTP request that in many cases will be directed at > a general purpose HTTP server running applications that often have > sophisticated and mandated authentication mechanisms. > > It may be difficult for deployers to get an exception to a deployment > policy that says: "all web applications will use XYZ authentication", > so any inability for the handshake to penetrate work with common > authentication mechanisms will an impediment to deployment. Allowing > authentication exceptions for websocket handshakes may complicate > authentication schemes and increase risk of human error creating > security holes. Even if authentication exceptions are allowed for the > websocket, human error will mean that sometime wrong URL will be used > and the ws handshake will see authentication failures, so at the very > least these need to be handled in a reasonable way. > > I really don't think we want to be in the game of: "oh you are using > XyZ authentication! why do you want to use that? You can use WS if > only you change to use PqY authentication". We should just work with > commonly deployed HTTP authentication mechanisms, even if we think > they are rubbish etc. > What are you talking about? I'm just pointing out that the current handshake cannot support any challenge/response authentication mechanism like HTTP DIGEST. It's only capable of HTTP BASIC authentication. -- Scott > > cheers > > > >
- [hybi] WebSocket handshake (HTTP and SSO) Brodie Thiesfield
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) John Tamplin
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) John Tamplin
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Eric Rescorla
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Brodie Thiesfield
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Adam Barth
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Adam Barth
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Joe Hildebrand
- Re: [hybi] WebSocket handshake (HTTP and SSO) Adam Barth
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Gabriel Montenegro
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Willy Tarreau
- Re: [hybi] WebSocket handshake (HTTP and SSO) Benjamin Black
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Benjamin Black
- Re: [hybi] WebSocket handshake (HTTP and SSO) John Tamplin
- Re: [hybi] WebSocket handshake (HTTP and SSO) Benjamin Black
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins