W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: Security Requirements for HTTP, draft -00

From: Roy T. Fielding <fielding@gbiv.com>
Date: Fri, 1 Feb 2008 12:50:43 -0800
Message-Id: <F0A00F6E-1169-4B78-B42E-305FF2C52546@gbiv.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>

On Jan 28, 2008, at 1:46 PM, Paul Hoffman wrote:
> At 10:27 PM +0100 1/28/08, Stephane Bortzmeyer wrote:
>> On Mon, Jan 28, 2008 at 08:47:46AM -0800,
>>  Paul Hoffman <paul.hoffman@vpnc.org> wrote
>>  a message of 59 lines which said:
>>
>>>  I strongly suspect that if you add up all the authentications done
>>>  on every HTTP server in the world today, forms+cookies+people would
>>>  win over ((nonforms+people) + (nonforms+nonpeople)).
>>
>> May be, it depends on the metrics you use :-) Number of  
>> installations,
>> number of requests per day, number of US $ processed ? :-)
>
> Number of requests per day.

Not even close.  Regular old HTTP authentication requests outnumber
browser-driven forms-based use of the Web (on a per request basis)
by an order of magnitude.  That's how a lot of services obtain
the news, feeds, stock ticks, catalog updates, price quotes, and
shipping calculations that eventually make it into a single shopping
site's user-oriented page with cookies.

The opinions stated in the draft are wrong and do nothing but obscure
the mechanisms that are supposed to be described.  I suggest you remove
them and rely more on actual examples of authentication as used in HTTP.
A lot of the stuff heard at an IETF meeting is simply old wives tales
retold by folks who don't build application services, let alone the
services that use HTTP.  They should not be relied upon for this draft.

....Roy
Received on Friday, 1 February 2008 20:50:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:36 GMT