Re: [hybi] About authentication mechanism

Ian Fette (イアンフェッティ) <ifette@google.com> Tue, 28 June 2011 22:21 UTC

Return-Path: <ifette@google.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6894821F86F3 for <hybi@ietfa.amsl.com>; Tue, 28 Jun 2011 15:21:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.676
X-Spam-Level:
X-Spam-Status: No, score=-105.676 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fjZG0hwnLfpI for <hybi@ietfa.amsl.com>; Tue, 28 Jun 2011 15:21:35 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id 94AC621F86CA for <hybi@ietf.org>; Tue, 28 Jun 2011 15:21:35 -0700 (PDT)
Received: from kpbe15.cbf.corp.google.com (kpbe15.cbf.corp.google.com [172.25.105.79]) by smtp-out.google.com with ESMTP id p5SMLTgf031320 for <hybi@ietf.org>; Tue, 28 Jun 2011 15:21:29 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1309299694; bh=xA5qLd1fdXDMGd/KkJ57gVeYua8=; h=MIME-Version:Reply-To:In-Reply-To:References:Date:Message-ID: Subject:From:To:Cc:Content-Type; b=ORSdagHAW4CMSAPYQZoAA5EODJpDGc8sdxFcAxfVIJrstB+hUoVD19ufL2omt3bGd 3swau0U9qvk+fHb4Kw3QQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:reply-to:in-reply-to:references:date: message-id:subject:from:to:cc:content-type:x-system-of-record; b=ffOLNmS5m/P3VCgJdFRsD4QLz1vXjii+Dto05fQZYugXxv1Eopn7nB6P3oK+CaVYM EfF53Iu7D1CBtjSuIO3HQ==
Received: from qyk9 (qyk9.prod.google.com [10.241.83.137]) by kpbe15.cbf.corp.google.com with ESMTP id p5SMLMkt029086 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <hybi@ietf.org>; Tue, 28 Jun 2011 15:21:23 -0700
Received: by qyk9 with SMTP id 9so2283768qyk.3 for <hybi@ietf.org>; Tue, 28 Jun 2011 15:21:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=eLkm0g3OkuMILJoVzdfLizeHbzxe7r+K3aofNSePnQ0=; b=v9J4yuDJcKobGBZxRYTtomTOkkVrQrfX+jchzHRGl0oucycBqSRlRSR4cqnWPkPQ+r 7B1OGjI5rXSneijM07ww==
MIME-Version: 1.0
Received: by 10.224.188.212 with SMTP id db20mr69247qab.141.1309299682362; Tue, 28 Jun 2011 15:21:22 -0700 (PDT)
Received: by 10.229.137.137 with HTTP; Tue, 28 Jun 2011 15:21:22 -0700 (PDT)
In-Reply-To: <CALiegfnfWwqtWqHZ5GUCWMNdWODnV+fHNhn+fxpL49KQ=Fs8Fw@mail.gmail.com>
References: <BANLkTinerv=Ua4d-ma+uPVJjF95U1U5iXg@mail.gmail.com> <BANLkTin4mWJgQm+pfyYRs_RhRkdMBfY_Og@mail.gmail.com> <BANLkTiksptqmTWftg7Ur98QQnp22QV7OLA@mail.gmail.com> <BANLkTimw8T4pZieBeCjaPQJ8oYWfbTjkmg@mail.gmail.com> <BANLkTikOzzHF1dGz-2-UwTC0kb2ZQd_0Jw@mail.gmail.com> <BANLkTimCTTCU4UFA7JFuBvDZSFv++UyGCA@mail.gmail.com> <BANLkTinWnTxkCh9BM_utX0=pxzE02DypuA@mail.gmail.com> <BANLkTi=LEOyhagpGZF9gTyLxGuqv5U64wmO_afwaw=eR=pVcPw@mail.gmail.com> <BANLkTinGb38bLyH20Q-QaP2jeDCfgYvENw@mail.gmail.com> <CABLsOLD-EWb=pQ33c9FSU3cu0JTGS5mc2-e5-oq-skfp7rzQhA@mail.gmail.com> <CALiegfnfWwqtWqHZ5GUCWMNdWODnV+fHNhn+fxpL49KQ=Fs8Fw@mail.gmail.com>
Date: Tue, 28 Jun 2011 15:21:22 -0700
Message-ID: <BANLkTi=CHoqCaTpBUyjokotR6F6tcfajcNedwQg0_ge0JRUYNQ@mail.gmail.com>
From: =?UTF-8?B?SWFuIEZldHRlICjjgqTjgqLjg7Pjg5Xjgqfjg4Pjg4bjgqMp?= <ifette@google.com>
To: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <ibc@aliax.net>
Content-Type: multipart/alternative; boundary=20cf303346d578c42204a6cd1631
X-System-Of-Record: true
Cc: hybi@ietf.org, Greg Wilkins <gregw@intalio.com>
Subject: Re: [hybi] About authentication mechanism
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ifette@google.com
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2011 22:21:37 -0000

On Tue, Jun 28, 2011 at 3:19 PM, Iñaki Baz Castillo <ibc@aliax.net> wrote:

> 2011/6/28 John Tamplin <jat@google.com>om>:
> > Note that cookies are problematic for supporting multiple tabs logged in
> > with different accounts, and are vulnerable to XSRF attacks without
> > additional precautions.
>
> But still Cookies are the only authentication mechanism mentioned in
> the WS draft.
>
>
>
> > The point is common practice in web apps is not to use HTTP
> authentication
> > anyway (aside from not being able to style it the way you want, you can't
> > easily log out, plus other limitations),
>
> I agree. It's ugly.
>
>
> > but to have the app request the
> > credentials and send them to the server itself.  If it takes that
> approach,
> > then it can easily do the same thing for WS communication.
>
> Humm, in my previous mail I already explained that a web server
> returns an HTML page in which the user can fill his credentials and
> so. But in WebSocket, how to do that? when you connect to a WebSocket
> server you don't receive a custom HTML or a form to login.
>
>
>
A user is not going to type in a ws:// url to a browser or other client.
They are going to open some webpage/application/... that will have ample
opportunity to deal with login before that thing instantiates the ws
connection.


>
> --
> Iñaki Baz Castillo
> <ibc@aliax.net>
>