Re: [hybi] About authentication mechanism

Ian Fette (イアンフェッティ) <ifette@google.com> Thu, 30 June 2011 02:28 UTC

Return-Path: <ifette@google.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7373421F85C1 for <hybi@ietfa.amsl.com>; Wed, 29 Jun 2011 19:28:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.676
X-Spam-Level:
X-Spam-Status: No, score=-105.676 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wvoHz-z+aL0X for <hybi@ietfa.amsl.com>; Wed, 29 Jun 2011 19:28:39 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id 6B6C821F8583 for <hybi@ietf.org>; Wed, 29 Jun 2011 19:28:39 -0700 (PDT)
Received: from wpaz33.hot.corp.google.com (wpaz33.hot.corp.google.com [172.24.198.97]) by smtp-out.google.com with ESMTP id p5U2Sbqa028464 for <hybi@ietf.org>; Wed, 29 Jun 2011 19:28:38 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1309400918; bh=vNp1qkTXUWtgLksPOay/812s8YM=; h=MIME-Version:Reply-To:In-Reply-To:References:Date:Message-ID: Subject:From:To:Cc:Content-Type; b=qu0jwImsLwgExXHg5BjPH7syKuXQ75bd6jvz5U71WXO00Ad6wUTLzeUwbZ1rPf8MC 3J/SxaBrFJbpkgFV+RBFw==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:reply-to:in-reply-to:references:date: message-id:subject:from:to:cc:content-type:x-system-of-record; b=k0L7hXDggBCLB7yCmfG+OQL4Q/ls4skd9IQ7mqzA6gGUi8q9NC3mx17mGP0Y9zYJY a2hvVT9JpHnwk0LfbXyxQ==
Received: from iwn39 (iwn39.prod.google.com [10.241.68.103]) by wpaz33.hot.corp.google.com with ESMTP id p5U2RuJL027941 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <hybi@ietf.org>; Wed, 29 Jun 2011 19:28:36 -0700
Received: by iwn39 with SMTP id 39so2005125iwn.31 for <hybi@ietf.org>; Wed, 29 Jun 2011 19:28:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=3BybCQkqBkfugiTc6GznDJi8MiqkeyHIIHekDr9eTD8=; b=eCze0kI8CmQRdWtOmtDi0APOGKqtkY3nodM5Xl3xQVJLODsTHwBa8U23UKPYAQYd2D ZbPZqn2Gk/lQSTIq05xw==
MIME-Version: 1.0
Received: by 10.231.41.69 with SMTP id n5mr1319494ibe.83.1309400916575; Wed, 29 Jun 2011 19:28:36 -0700 (PDT)
Received: by 10.231.30.140 with HTTP; Wed, 29 Jun 2011 19:28:36 -0700 (PDT)
In-Reply-To: <CALiegfm8aCsnav51DC=h4DmH+F0DAJUk69D4bbv_0GtvDjw3tw@mail.gmail.com>
References: <BANLkTinerv=Ua4d-ma+uPVJjF95U1U5iXg@mail.gmail.com> <BANLkTin4mWJgQm+pfyYRs_RhRkdMBfY_Og@mail.gmail.com> <BANLkTiksptqmTWftg7Ur98QQnp22QV7OLA@mail.gmail.com> <BANLkTimw8T4pZieBeCjaPQJ8oYWfbTjkmg@mail.gmail.com> <BANLkTikOzzHF1dGz-2-UwTC0kb2ZQd_0Jw@mail.gmail.com> <BANLkTimCTTCU4UFA7JFuBvDZSFv++UyGCA@mail.gmail.com> <BANLkTinWnTxkCh9BM_utX0=pxzE02DypuA@mail.gmail.com> <BANLkTi=LEOyhagpGZF9gTyLxGuqv5U64wmO_afwaw=eR=pVcPw@mail.gmail.com> <BANLkTinGb38bLyH20Q-QaP2jeDCfgYvENw@mail.gmail.com> <CABLsOLD-EWb=pQ33c9FSU3cu0JTGS5mc2-e5-oq-skfp7rzQhA@mail.gmail.com> <CALiegfnfWwqtWqHZ5GUCWMNdWODnV+fHNhn+fxpL49KQ=Fs8Fw@mail.gmail.com> <BANLkTi=CHoqCaTpBUyjokotR6F6tcfajcNedwQg0_ge0JRUYNQ@mail.gmail.com> <CALiegf=Y-kWG7piRnbDtKeh7Edj11OtQqHVCUq4N2_D1pXG8Qw@mail.gmail.com> <BANLkTim++ywp3fCM8YXuRkH41pUOLqbJZt1JhVdpdUcbJkaVmQ@mail.gmail.com> <CALiegfm8aCsnav51DC=h4DmH+F0DAJUk69D4bbv_0GtvDjw3tw@mail.gmail.com>
Date: Wed, 29 Jun 2011 19:28:36 -0700
Message-ID: <CAF4kx8fsyrkdJ7TX2+hkMcb=M-TPtbPiLup1OWoxpvKf=FZDOA@mail.gmail.com>
From: =?UTF-8?B?SWFuIEZldHRlICjjgqTjgqLjg7Pjg5Xjgqfjg4Pjg4bjgqMp?= <ifette@google.com>
To: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <ibc@aliax.net>
Content-Type: multipart/alternative; boundary=0015177407d48047f704a6e4a86b
X-System-Of-Record: true
Cc: hybi@ietf.org, Greg Wilkins <gregw@intalio.com>
Subject: Re: [hybi] About authentication mechanism
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ifette@google.com
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2011 02:28:40 -0000

On Wed, Jun 29, 2011 at 1:05 AM, Iñaki Baz Castillo <ibc@aliax.net> wrote:

> 2011/6/29 Ian Fette (イアンフェッティ) <ifette@google.com>om>:
> > Pass an oauth token,
>
> How? within the subprotocol itself?
>
>
> > or have the WS server issue some challenge that the JS
> > answers
>
> Reinventing the wheel (HTTP Digest auth) but at WS subprotocol level?
> So should the JavaScript client *code* perform the challenge in pure
> and custom JavaScript code? I expect *lots* of future vulnerabilities
> in WS.
>
> Unfortunately it's common in this WG not to reuse existing
> technologies (neither reusing DNS SRV for good
> load-balancing/failover, neither reusing any existing authentication
> mechanism). This is not good IMHO.
>
>
I think the base protocol defines enough for the vast majority of people to
easily work this into their workflow. For those that it's nontrivial for,
it's certainly possible and by no means a hard CS problem. If enough people
face it, they can build a library, or propose an extension.

As for loadbalancing / failover beyond what basic DNS provides, again, this
isn't required for a base protocol but could easily be specified as an
extension should the need arise / people wish to do so. HTTP and TCP weren't
built in a day either.


>
> > (or presents to the user on behalf of the server if it's really
> > necessary), many ways. This is not a new problem.
>
> Even worse, it's not a new problem but it seems that WebSocket draft
> authors don't want to deal with it. WebSocket world will become a
> jungle.
>
> So, is it really possible that WebSocket will be the first
> client->server protocol without, at least, one solid authentication
> mechanism specified? I just can't believe it. Please, WS is not like a
> DNS query. WS is supposed to carry personal and private data.
>
> Please don't take me wrong, but IMHO some other people with experience
> in Internet protocols other than HTTP should also take a look to this
> draft. I don't like the WWW-style of doing things this protocol is
> acquiring. The fact that WWW world is a jungle doesn't mean that any
> other new protocol (even when related to HTTP) should also be jungle.
>
>
> I strongly disagree with the direction this draft is taking when
> coming to authentication area in WebSocket protocol.
>
> Regards.
>
> --
> Iñaki Baz Castillo
> <ibc@aliax.net>
>