W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

RE: Straw-man charter for http-bis -- call for errata/clarifications to 2617

From: Paul Leach <paulle@windows.microsoft.com>
Date: Thu, 31 May 2007 14:54:58 -0700
Message-ID: <76323E9F0A911944A4E9225FACFC55BA04AFFB56@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
To: Eric Lawrence <ericlaw@exchange.microsoft.com>, Cyrus Daboo <cyrus@daboo.name>, Henrik Nordstrom <henrik@henriknordstrom.net>
CC: <ietf-http-wg@w3.org>

A couple of thoughts:
1. The requirements (use of connection-keep-alive, proxy issues, etc)
for secure use of per-connection authentication could be described in
2617bis.  AFAIK, these could reflect some actual implementation
experience.
2. A "shared key" auth method could be introduced that would do
per-message security, and a framework whereby mechanisms for negotiating
that key could be used -- Kerb/SPNEGO being the obvious ones. There
would be severe chicken/egg deployment issues around this, but maybe
over the long run it would get adopted.

-----Original Message-----
From: Eric Lawrence
Sent: Thursday, May 31, 2007 2:28 PM

Cyrus--

You're right, but Henrik's point still stands.  The existing
implementation of Negotiate/NTLM is significantly different than the
conventional HTTP authentication "per-message" model.  It may be
difficult (or undesirable) to roll this into RFC2616.
Received on Thursday, 31 May 2007 21:56:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:10 GMT