IETF Logo Mail Archive

Re: [hybi] Web Socket IP Authentication

Hector Santos <hsantos@isdg.net> Fri, 03 September 2010 12:15 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F01713A6885 for <hybi@core3.amsl.com>; Fri, 3 Sep 2010 05:15:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.803
X-Spam-Level:
X-Spam-Status: No, score=-2.803 tagged_above=-999 required=5 tests=[AWL=-2.908, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_35=0.6, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0K2xJ00B3xxs for <hybi@core3.amsl.com>; Fri, 3 Sep 2010 05:15:53 -0700 (PDT)
Received: from mail.winserver.com (mail.catinthebox.net [208.247.131.9]) by core3.amsl.com (Postfix) with ESMTP id 298B63A687C for <hybi@ietf.org>; Fri, 3 Sep 2010 05:15:52 -0700 (PDT)
Received: by winserver.com (Wildcat! SMTP Router v6.3.453.4) for hybi@ietf.org; Fri, 03 Sep 2010 08:16:38 -0400
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v6.3.453.4) with ESMTP id 3134225921; Fri, 03 Sep 2010 08:16:36 -0400
Received: by beta.winserver.com (Wildcat! SMTP Router v6.3.453.2) for hybi@ietf.org; Fri, 03 Sep 2010 08:14:24 -0400
Received: from [192.168.1.101] ([99.3.147.93]) by beta.winserver.com (Wildcat! SMTP v6.3.453.2) with ESMTP id 3722309313; Fri, 03 Sep 2010 08:14:23 -0400
Message-ID: <4C80E705.6010603@isdg.net>
Date: Fri, 03 Sep 2010 08:16:05 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Dave Cridland <dave@cridland.net>
References: <20100901224502.0519B3A687C@core3.amsl.com> <AANLkTikP1CF22fL0rBniXmrxEoBAbTNfzP9kyiNA4nbb@mail.gmail.com> <AANLkTi=_1m36ThFZTH_aGE_Unz0KTeexJq_74UGr2j+u@mail.gmail.com> <B68E5323-E259-4D27-BB32-ED86961209FC@gbiv.com> <20100902051929.GD10275@1wt.eu> <4C7F3F21.3000200@isdg.net> <20100902061613.GK10275@1wt.eu> <4C7F4C59.4010502@isdg.net> <2348.1283459737.696752@puncture> <4C80175C.4090109@isdg.net> <2348.1283502130.477694@puncture>
In-Reply-To: <2348.1283502130.477694@puncture>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Server-Initiated HTTP <hybi@ietf.org>
Subject: Re: [hybi] Web Socket IP Authentication
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Sep 2010 12:15:55 -0000

Good morning,

Dave Cridland wrote:
> On Thu Sep  2 22:30:04 2010, Hector Santos wrote:
>>
>> In any case, the point was that IP authentication *can* be a valid 
>> server side consideration for secondary web sockets connections.
>>
> And my point is that it is not.

Come on David, surely you are more open minded than that. :)

> An HTTP request may be passed through several proxies, 
> a WebSocket request is less likely to. 

Sure.

> One point you made does apply here too - an IP address, if within the AS 
> or local network, is sufficient to authenticate as an otherwise 
> anonymous local user. This is the case used to allow SMTP relaying to 
> ISP customers. I don't think this will be an option for the vast 
> majrotiy of WebSocket services.

Well, David, you already made a decision on what the majority services 
will be and to (mildly) suggest there is no utility for the minority 
cases. :)

We long had a dual/multi client session framework since 1996 so my 
perspective does have a basis. WebSocket offers an alternative, 
perhaps  simplified "client/wiring" framework. For us, its more about 
single sourcing the client interface devices - again. It may also show 
to be "not ready" for prime time.

Nonetheless, while off hand the session management will naturally 
carry over which is not IP associated, IP may|could be part of it. 3rd 
party applets have leveraged "IP" in different ways, i.e. "call back 
verifiers" ideas. Overall, the reasons have been more strategic in 
some aspect, but its all about different levels of session management 
considerations.

WebSocket simply highlights these design considerations more - at 
least for us.

IMO, the majority market place, at least in the short term, will be 
more transforming existing applications including private, intranet, 
etc.  The longer term may be more public service hosting, a wider mesh 
network or some combo of decentralization/centralization server ideas.

Thanks for your input.

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

v2.23.0 | Report a Bug | By Email