Re: Please approve a mailing list or inform me how to Create a mailing list for discussing these projects

[valdis.kletnieks@vt.edu]

On Fri, 20 Jul 2018 23:56:31 -0600, pradeep@explodingmoon.org said:
> Hello
>
> Please approve a mailing list for these drafts or inform me of
> procedure how to Create
> one.
>
> https://datatracker.ietf.org/doc/draft-pradeepkumarxplorer-httpi/
> https://datatracker.ietf.org/doc/draft-pradeepkumarxplorer-httpuserinfo/

These are both one-paragraph drafts calling for solutions to problems that have
been solved quite some time ago.

'httpi://' isn't needed, because we already have all the pieces we need to do
this.  In fact, if anything, many websites have so many "related" and "you
might be interested in" links that we've coined the term "clickbait" for
attempts to get your attention among the mass of links.  And let's face it -
this is a service that should be under the user's control.  This has two
results:

1) It doesn't need to be sent to the destination site so they can decorate the
page they're sending you, so a new protocol isn't needed.

2) Since it's better done by the user, what you *really* want is a browser
extension that does all the markup and searching, without the user even having
to type 'httpi://'.  For example, see how Chrome or Firefox can deal with the
user typing a search string into the URL bar, and giving suggested completions
- each new set of completions was an entire new query from the browser to a
search engine.  Or see any of the many browser extensions that do real-time
markup of pages - everything from replacing all pictures of Donald Trump in
news stories with pictures of kittens, to extended search and annotation, to a
whole bunch of other things:

Annotation: https://www.maketecheasier.com/google-chrome-extensions-annotate-text-on-the-web/
Searching for related terms: https://www.pcworld.com/article/2158690/improve-your-search-chops-and-save-time-with-these-chrome-extensions.html
Word definitions: https://www.makeuseof.com/tag/7-chrome-extensions-lookup-words-meanings-browse/

(Think for a moment about how the web extension knows that the picture
is one of Donald Trump... that's not as easy as it looks...)

And userinfo isn't needed either - we already know how to do authenticated user
via any number of means - anything from per-user PKI certificates, to userid/
password schemes, to 2-factor authentication with physical tokens or biometric
information, to a whole collection of other methods.

As your userinfo draft says:

    " Right now to hide sensitive or subscription based information i have to implement username
    password restrictions in the website code i am publishing.I should be able to say that
    only a HTTP client request that has in addition to location and IP address some User information
    should be served information from my website."

You probably want to find out who Jeff Bezos is, and why his company was able
to work around this problem and make billions of dollars.  Also, you'll need to
explain *why* "you should be able to", and why it requires a new protocol, and
why other solutions aren't sufficient.

Hint 1 - how do weather.com and  Google Maps know where you are? (Google even
knows which way I'm facing with the cellphone.. think about that for a bit
while you think about how you're going to explain a new protocol is needed to
do that...)

Hint 2 - the Internet is growing increasingly mobile - so "location" isn't a
very reliable identifier any more.  I've paid utility bills from a laptop
tethered to a cellphone while at a Boy Scout camp 6 hours drive from where I
live - so it isn't safe to say that "me" is only at my apartment or my office.
In addition, if it reports "the wireless network at Virginia Tech" as my
location, that doesn't separate me from all the other users, because that
"location" is a single wireless SSID that spans 2,000+ access points in 200
buildings and over 19,000 users during weekday afternoons when classes are in
session.

In short, "Me" isn't tied to a location, and a location usually doesn't
identify "me" as opposed to everybody else using the network/cellphone at that
location.

Hint 3 - you still have an authentication issue.  You're unclear whether your
website should get the information as part of the user's http request, or from
a third party. If you're getting it from the user, you'd just re-invented the
very bad idea of user-side authentication - you're relying on the user to be
honest and not send you false authenticators (and of course, the Bad Guys(tm)
will send falsified information).  If you're calling a third party, you avoid
the user-side authentication problem, but now have a different problem - you
have only the information the user provided - an IP address and *maybe* a
userid/password, as information that you can send this third party to get your
"userinfo" data.

Hint 4 - you can work around those problems in Hint 3 if you're clever - at
which point you've re-invented "identity provider services" such as Shibboleth:
https://www.shibboleth.net/ which can be used for cross-organization
single-sign-on, and leveraged to provide services such as EduRoam:
https://www.eduroam.org/ - the end result is that I can be visiting Europe, go
to Riga Technical University, and authenticate to their wireless network - but
only if I know my userid/password at Virginia Tech and have either a specific
Yubikey 4 with me, or one of several other 2-factor authenticators supported by
Virginia Tech.  One of those involves calling my cellphone (which has a phone
number assigned to the southwest part of Virginia, in the US - and having it
ring even if I'm in eastern Europe. Think about that for a moment)

And all this stuff gets done without any new protocols being needed...

To get a mailing list for these proposals, you'll have to convince people that
these solved problems are in fact not solved, and explain what's wrong with the
solutions, and do so in a way that demonstrates that you do in fact know what's
already doable without these new protocols....

Good luck, you're going to need it....