Re: [hybi] About authentication mechanism

John Tamplin <jat@google.com> Tue, 28 June 2011 21:58 UTC

Return-Path: <jat@google.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 360B811E80F2 for <hybi@ietfa.amsl.com>; Tue, 28 Jun 2011 14:58:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.676
X-Spam-Level:
X-Spam-Status: No, score=-105.676 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OYSNb+7CIzts for <hybi@ietfa.amsl.com>; Tue, 28 Jun 2011 14:58:07 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id 9845A11E80C0 for <hybi@ietf.org>; Tue, 28 Jun 2011 14:58:06 -0700 (PDT)
Received: from kpbe14.cbf.corp.google.com (kpbe14.cbf.corp.google.com [172.25.105.78]) by smtp-out.google.com with ESMTP id p5SLw4rv009917 for <hybi@ietf.org>; Tue, 28 Jun 2011 14:58:05 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1309298285; bh=AYnCMGqJXyILuqd4P2K+SrgXzYI=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=h8wZmkm+F0Ja5jDRqoO2KI9j5rCgC/TWbgovfB16K5ftxiJrEY2lAJOVEPECPP6DU 4G5/ybo7ATI7BPpCHdgvQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:from:date: message-id:subject:to:cc:content-type:x-system-of-record; b=V+Nfv2dSU8Pbr9k0cmKXxSv1+F4rTvrXTJJaczuOOEdfHiDaef+OzGBjqIC2nOvxN WtFKbf62/nwQEFIXjJaPw==
Received: from ywb26 (ywb26.prod.google.com [10.192.2.26]) by kpbe14.cbf.corp.google.com with ESMTP id p5SLvHBo001081 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <hybi@ietf.org>; Tue, 28 Jun 2011 14:58:03 -0700
Received: by ywb26 with SMTP id 26so346548ywb.14 for <hybi@ietf.org>; Tue, 28 Jun 2011 14:58:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=bBKNrMULYW4ChNl3biiYVcAeuK0sSUb21x8mY0/nFyc=; b=wJx6X5VZNTGeG7xDEARBZtGlgiZEGAn2WBUekrQTOsUXEXCqIlIwFNk58EJftXqfb6 cEhDy6MxXTPG2kyBO77Q==
Received: by 10.150.66.20 with SMTP id o20mr97414yba.344.1309298283120; Tue, 28 Jun 2011 14:58:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.150.49.7 with HTTP; Tue, 28 Jun 2011 14:57:43 -0700 (PDT)
In-Reply-To: <BANLkTinGb38bLyH20Q-QaP2jeDCfgYvENw@mail.gmail.com>
References: <BANLkTinerv=Ua4d-ma+uPVJjF95U1U5iXg@mail.gmail.com> <BANLkTin4mWJgQm+pfyYRs_RhRkdMBfY_Og@mail.gmail.com> <BANLkTiksptqmTWftg7Ur98QQnp22QV7OLA@mail.gmail.com> <BANLkTimw8T4pZieBeCjaPQJ8oYWfbTjkmg@mail.gmail.com> <BANLkTikOzzHF1dGz-2-UwTC0kb2ZQd_0Jw@mail.gmail.com> <BANLkTimCTTCU4UFA7JFuBvDZSFv++UyGCA@mail.gmail.com> <BANLkTinWnTxkCh9BM_utX0=pxzE02DypuA@mail.gmail.com> <BANLkTi=LEOyhagpGZF9gTyLxGuqv5U64wmO_afwaw=eR=pVcPw@mail.gmail.com> <BANLkTinGb38bLyH20Q-QaP2jeDCfgYvENw@mail.gmail.com>
From: John Tamplin <jat@google.com>
Date: Tue, 28 Jun 2011 17:57:43 -0400
Message-ID: <CABLsOLD-EWb=pQ33c9FSU3cu0JTGS5mc2-e5-oq-skfp7rzQhA@mail.gmail.com>
To: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <ibc@aliax.net>
Content-Type: multipart/alternative; boundary=000e0cd51b401207a004a6ccc3ee
X-System-Of-Record: true
Cc: hybi@ietf.org, Greg Wilkins <gregw@intalio.com>
Subject: Re: [hybi] About authentication mechanism
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2011 21:58:08 -0000

On Wed, Jun 22, 2011 at 6:42 AM, Iñaki Baz Castillo <ibc@aliax.net> wrote:

> - Web developers don't like HTTP authentication in web pages and
> prefer authentication at application level. I agree, it's nicer, but
> it relies on the fact that HTTP usualy carries a web page (application
> data) in which the user can fill a form, submit, and get
> authentication and a Cookie for a session.
>

Note that cookies are problematic for supporting multiple tabs logged in
with different accounts, and are vulnerable to XSRF attacks without
additional precautions.


> - This WG does not want to cover authentication mechanism at all for
> WebSocket protocol, and instead leave it again at application level.
> But here there is no a rendered web page in which the user can fill a
> login form. So...
>
> Assuming that any websocket connection would be preceded by a web
> access (in which login and a session Cookie has been got) would be a
> terrible error IMHO. So, does nobody agree that WS needs a built-in
> authentication mechanism? Honestly I cannot understand. Hope I miss
> something very important in this topic.
>

The point is common practice in web apps is not to use HTTP authentication
anyway (aside from not being able to style it the way you want, you can't
easily log out, plus other limitations), but to have the app request the
credentials and send them to the server itself.  If it takes that approach,
then it can easily do the same thing for WS communication.

-- 
John A. Tamplin
Software Engineer (GWT), Google