Re: [hybi] About authentication mechanism

Iñaki Baz Castillo <> Wed, 29 June 2011 13:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5F8DD11E8075 for <>; Wed, 29 Jun 2011 06:01:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0GMNwwnyh+gD for <>; Wed, 29 Jun 2011 06:01:29 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E975A11E8070 for <>; Wed, 29 Jun 2011 06:01:28 -0700 (PDT)
Received: by qyk29 with SMTP id 29so882886qyk.10 for <>; Wed, 29 Jun 2011 06:01:28 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id a4mr513319qcf.287.1309352488432; Wed, 29 Jun 2011 06:01:28 -0700 (PDT)
Received: by with HTTP; Wed, 29 Jun 2011 06:01:28 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Wed, 29 Jun 2011 15:01:28 +0200
Message-ID: <>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <>
To: Bob Gezelter <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [hybi] About authentication mechanism
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 29 Jun 2011 13:01:30 -0000

(now correctly replying to the list address):

2011/6/29 Bob Gezelter <>om>:
> In summary, the WebSocket protocol does need a framework for
> authentication, and to enable interoperaability, a registry of published
> authentication schemes within that framework, with provisions for local
> extensions. It does not need a specific authentication scheme as part of
> the specification. Any such scheme should include provisions for
> unauthenticated/anonymous connections.

It makes lot of sense. I agree that an authentication framework should
be needed (better than a single authentication mechanism) and, of
course, an API for managing it from the client side.

The problem is that the WG seems not to want to cover this area at
all, and instead let the authentication process at WS subprotocol
level, leaving all the possible challenge computation at pure
JavaScript level (danger danger).

The fact that there is no broad consensus in the need of this
mechanism, neither interest, does not justify publishing the protocol
as it is. Come on WG, if nobody in the WG would care about which
encoding to use in WebSocket protocol, would the protocol born without
specifying it??? This is a protocol specification, not a FAQ, there
cannot be black holes.

Iñaki Baz Castillo