W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: RFC2616 vs RFC2617, was: Straw-man charter for http-bis

From: tom.petch <cfinss@dial.pipex.com>
Date: Thu, 14 Jun 2007 11:01:54 +0000
Message-ID: <031901c7ae6a$68e12360$0601a8c0@pc6>
To: "Adrien de Croy" <adrien@qbik.com>
Cc: "Apps Discuss" <discuss@apps.ietf.org>, <ietf-http-wg@w3.org>




<inline>
Tom Petch

----- Original Message -----
From: "Adrien de Croy" <adrien@qbik.com>
To: "Mark Nottingham" <mnot@mnot.net>
Cc: "Apps Discuss" <discuss@apps.ietf.org>; <ietf-http-wg@w3.org>
Sent: Wednesday, June 13, 2007 12:16 AM
Subject: Re: RFC2616 vs RFC2617, was: Straw-man charter for http-bis

>
> my experience also is that it is extremely rare to encounter public web
> servers that use any HTTP auth mechanism.
>
> NTLM and Basic auth is often used for intranets, and proxy access.
>
> I've never seen an instance of Digest auth.
>
> Seems to me that the issue of securing communications and authenticating
> or identifying parties are closely aligned, why not just have some form
> of auth built into TLS, then we could use it for any protocol that can
> use TLS, instead of having to implement separate auth schemes for every
> higher protocol.
>
TLS can do that but it does not gel with the way in which (many) organisations
are structured.  Those responsible for security, for security credentials and
their maintenance, do not want to be ferreting around in the depths of a network
stack, they prefer working at application and database level, a point that has
already been alluded to in this thread.

The solution I like to this is channel bindings, as promoted by Nico Williams,
where a weakly authenticated tunnel is set up and then stronger
authentication - which can rely on the strong encryption which is now in place -
is performed via it, eg at application level in the stack.

>
> Mark Nottingham wrote:
> >
> > On 08/06/2007, at 6:10 PM, Stephane Bortzmeyer wrote:
> >
> >> On Thu, Jun 07, 2007 at 06:18:13PM +0200,
> >>  Julian Reschke <julian.reschke@gmx.de> wrote
> >>  a message of 14 lines which said:
> >>
> >>> In the wild, most authentication isn't using RFC2617 anyway.
> >>
> >> Any data here? IMHO, this assertion is not true, unless you limit to
> >> big e-commerce Web sites. For instance, HTTP-based Web services use
> >> 2617.
> >
> > My experience is that it isn't adequate for even those purposes, in
> > many cases.
> >
> > --
> > Mark Nottingham     http://www.mnot.net/
Received on Thursday, 14 June 2007 12:30:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:10 GMT