IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Benjamin Black <b@b3k.us> Sat, 04 September 2010 05:08 UTC

Return-Path: <b@b3k.us>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 898363A67B4 for <hybi@core3.amsl.com>; Fri, 3 Sep 2010 22:08:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.253
X-Spam-Level:
X-Spam-Status: No, score=0.253 tagged_above=-999 required=5 tests=[AWL=-0.370, BAYES_50=0.001, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aQQfTFS23LfK for <hybi@core3.amsl.com>; Fri, 3 Sep 2010 22:08:18 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by core3.amsl.com (Postfix) with ESMTP id 3A12F3A63EB for <hybi@ietf.org>; Fri, 3 Sep 2010 22:08:17 -0700 (PDT)
Received: by wwj40 with SMTP id 40so2895899wwj.13 for <hybi@ietf.org>; Fri, 03 Sep 2010 22:08:45 -0700 (PDT)
Received: by 10.216.38.20 with SMTP id z20mr834623wea.108.1283576925206; Fri, 03 Sep 2010 22:08:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.3.129 with HTTP; Fri, 3 Sep 2010 22:08:25 -0700 (PDT)
From: Benjamin Black <b@b3k.us>
Date: Fri, 03 Sep 2010 22:08:25 -0700
Message-ID: <AANLkTinxTLuDEiS=XuyVHG1W+aizKHWk2Z4=LLqEHvC4@mail.gmail.com>
To: hybi@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Sep 2010 05:08:19 -0000

The focus of the argument in favor of re-implementing authn in
Websockets mechanisms that already exist in HTTP is that the authn
process sometimes requires an extra round trip.  One.  Round.  Trip.
Sometimes.  The phrase you seek is "premature optimization".

Instead of talking about it in the abstract of a single, extra round
trip, I ask when this is relevant.  In cases where connections are
short-lived, intended for a single request/response, and credentials
can't be retained, this concern seems quite important.  Since the
entire process is one round trip, adding another could add
considerable latency.

Are Websockets intended for short-lived, request/reply applications?
If so, they are pointless as HTTP can handle these applications all on
its own.

Are they intended for applications in which:
  1) a user is not already authenticated
OR
  2) the credentials can't be passed to the Websocket system to use in
authentication?

Or, instead, are Websockets intended for long-running connections with
numerous round trips, often from applications that can collect
credentials and send them directly in the HTTP request that begins the
Websocket negotiation?  And, if this is so, why are we obsessing over
a single round trip adding all of 50ms to initial connection setup
instead of recognizing the existing mechanisms are perfectly workable
_as is_?  If, in the fullness of time and experience, we discover the
extra round trip is a serious impediment, we are free to design and
implement new mechanisms.

File under: another confusing example of hybi efforts eschewing HTTP
mechanisms and HTTP compliance.  If someone could elucidate that, I
would be grateful.


b

v2.23.0 | Report a Bug | By Email