W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: RFC2617, was: Straw-man charter for http-bis

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Mon, 11 Jun 2007 23:04:08 +0200
To: lists@ingostruck.de
Cc: Jamie Lokier <jamie@shareable.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <1181595848.8224.32.camel@henriknordstrom.net>
mån 2007-06-11 klockan 14:41 +0000 skrev lists@ingostruck.de:

> >     3. Password transfer for authentication can be done over SSL/TLS,
> >        even if the accessed pages after that are plaintext with the
> >        cookie as authenticator, for performance or caching reasons.
> There is no need for that with digest *and* you do not even need
> SSL/TLS for auth purposes.

And more, with Digest you don't need to worry about session theft when
not using SSL/TLS. Unlike cookies digest has built-in replay protection.
Now not every implementation make use of it (partly due to the
implementation bugs mentioned earlier), but it's there.

> Current UA impls do not send auth across schemes (http/https), which makes 
> perfectly sense for basic, but for digest this could be done without major
> changes to rfc2617, because the scheme is not involved in the hash calculus.

Digest has the domain response paramater to control this. Have not
looked into how well supported this is by the current UAs, but it's
there in the specifications.


> This one seems to be the crux of the matter, but the 
> Authorization, Authenticate and Proxy-Authenticate headers are available
> to all those server-side-rendering schemes too (at least through CGI,
> via HTTP_AUTHORIZATION etc.).

Some servers filter the Authorization header in CGI for security
reasons, not trusting the CGI with user credentials.

> >     4. Describing hooks whereby the UI elements can appear embedded in
> >        a related HTML page, but aren't required to be.

Yes, and has been on the agenda since at least 1999 as already discussed
here. And it's not a technically hard thing to do, just someone need to
do it and get it accepted, and when done it will significantly shift the
tide in favor for HTTP authentication compared to cookies.

> >     5. Ensure that it's possible that site authors who write in
> >        e.g. PHP, Perl, CGI etc. can easily make use of the scheme.
> >        Simply because this is an important requirement for practical
> >        deployment.

This falls firmly into the land of server configuration. Auth schemes is
best implemented by the server, not each application running on the
server. 

In short applications (using PHP, Perl, CGI etc) need to be able to
configure the protection realms of the server in a consistent manner.
One example is using Apache .htaccess which works quite well for the
purpose (assuming the server admin allows authentication to be used).

The primary thing missing is some well defined way of establishing the
user password without applications having to dive deep into both server
and scheme details..

Note: I do NOT consider it a reasonable task for a potential WG revising
RFC2617 to come up with designs allowing applications to use
authentication on servers where the use of authentication has been
administratively prohibited. Thats an administrative issue, not a
technical one.

Regards
Henrik

Received on Monday, 11 June 2007 21:04:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:10 GMT