Re: [hybi] About authentication mechanism

Iñaki Baz Castillo <ibc@aliax.net> Wed, 22 June 2011 00:01 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DADFE21F85B6 for <hybi@ietfa.amsl.com>; Tue, 21 Jun 2011 17:01:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.663
X-Spam-Level:
X-Spam-Status: No, score=-2.663 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M3aX+e-Ms9ih for <hybi@ietfa.amsl.com>; Tue, 21 Jun 2011 17:01:18 -0700 (PDT)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by ietfa.amsl.com (Postfix) with ESMTP id 3D89B21F85B5 for <hybi@ietf.org>; Tue, 21 Jun 2011 17:01:18 -0700 (PDT)
Received: by qyk29 with SMTP id 29so208425qyk.10 for <hybi@ietf.org>; Tue, 21 Jun 2011 17:01:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.7.212 with SMTP id e20mr8148qce.192.1308700877650; Tue, 21 Jun 2011 17:01:17 -0700 (PDT)
Received: by 10.229.181.209 with HTTP; Tue, 21 Jun 2011 17:01:17 -0700 (PDT)
In-Reply-To: <BANLkTiksptqmTWftg7Ur98QQnp22QV7OLA@mail.gmail.com>
References: <BANLkTinerv=Ua4d-ma+uPVJjF95U1U5iXg@mail.gmail.com> <BANLkTin4mWJgQm+pfyYRs_RhRkdMBfY_Og@mail.gmail.com> <BANLkTiksptqmTWftg7Ur98QQnp22QV7OLA@mail.gmail.com>
Date: Wed, 22 Jun 2011 02:01:17 +0200
Message-ID: <BANLkTimafQ1AHSi5VgYnk7oJmhox9Np-sg@mail.gmail.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
To: Greg Wilkins <gregw@intalio.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: hybi@ietf.org
Subject: Re: [hybi] About authentication mechanism
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2011 00:01:19 -0000

2011/6/22 Greg Wilkins <gregw@intalio.com>:
> In many respects, this is a thread that should probably occur within
> the W3C and WHATWG lists, as how browsers handle credential collection
> is much more of an issue for them than the IETF..   Note that I think
> they are in final call on their APIs as well.

Yes, maybe. However, if WebSocket draft doesn't mandate support of
HTTP authentication, how could W3C mandate it?


> It is true that the current version of the draft no longer denies the
> ability of a client to handle 401 responses, so that is perhaps all
> that we need.     However it might be that we should consider if we
> recommend support for BASIC and DIGEST.

I strongly recommend discarding BASIC and mandating just DIGEST. SIP
protocol also uses HTTP authentication (RFC 2617) but mandates DIGEST
and disallows BASIC (for obvious reasons):

RFC 3261 (SIP Protocol):

22 Usage of HTTP Authentication
   [...]
   Note that due to its weak security, the usage of "Basic"
   authentication has been deprecated.  Servers MUST NOT accept
   credentials using the "Basic" authorization scheme, and servers also
   MUST NOT challenge with "Basic".


Regards.


-- 
Iñaki Baz Castillo
<ibc@aliax.net>