W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: Security Requirements for HTTP, draft -00

From: Robert Sayre <rsayre@mozilla.com>
Date: Sun, 03 Feb 2008 06:11:22 +0000
Message-Id: <45082726-19F2-4BAD-A539-A01AC592E5B3@mozilla.com>
To: ietf-http-wg@w3.org
> Not even close.  Regular old HTTP authentication requests outnumber
> browser-driven forms-based use of the Web (on a per request basis)
> by an order of magnitude.

I agree that the draft is skewed towards browser-like use cases, and  
some statements don't apply to automated traffic. I also think browser- 
like traffic is where HTTP authentication as currently implemented is  
pretty useless, and worth focusing on.

>
> The opinions stated in the draft are wrong and do nothing but obscure
> the mechanisms that are supposed to be described.

Disagree. The purpose of the draft is not to describe the mechanisms  
in high detail. It's also OK to have unsubstantiated claims in a  
working document, as long as they are taken care of before  
publication. Removing the quantitative claims would probably avoid a  
lot of boring finger wagging IETF mail, so I agree they should go.

>  I suggest you remove
> them and rely more on actual examples of authentication as used in  
> HTTP.

One concrete data point would be that Amazon AWS traffic (some of  
which uses their custom HTTP auth scheme) has surpassed the traffic of  
Amazon.com. OTOH, it might be that more GET requests to Amazon.com are  
FBA-customized, while most of the GET requests to AWS are not  
authenticated. Would love some actual data.

> A lot of the stuff heard at an IETF meeting is simply old wives tales
> retold by folks who don't build application services, let alone the
> services that use HTTP.  They should not be relied upon for this  
> draft.


That isn't the source material for this document, but I'm glad you  
enjoy the meetings.

To me, HTTP authentication is the stuff that's ineffectively presented  
in the browser, but not worth fixing, because the existing schemes  
aren't useful. The draft is trying to determine why that is.

> It doesn't make any difference either way.  The notion that
> authenticated HTTP requests are almost entirely based on FBA is  
> absurd.
> It ignores the fact that most HTTP requests aren't even made by  
> browsers.

Yes, there may be a large amount of traffic using HTTP Authentication  
in applications that are difficult to observe. They might even get  
good scalability, compatibility, and security properties from it. I  
don't care about them, but I don't object to language that makes their  
existence known.

- Rob
Received on Sunday, 3 February 2008 17:31:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:36 GMT