- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Sun, 12 Dec 2010 14:39:23 -0800
- To: Alexey Melnikov <alexey.melnikov@isode.com>
- Cc: Yoav Nir <ynir@checkpoint.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, websec <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Dec 12, 2010, at 10:40 AM, Alexey Melnikov wrote: > Yoav Nir wrote: > >> EAP has one advantage. It is easy to integrate with existing RADIUS/DIAMETER infrastructure. >> > True. > And SASL has an advantage that it is easier to integrate with LDAP infrastructure. > > I think this just demonstrates that before an HTTP authentication mechanism can be evaluated, people need to agree on a common evaluation criteria for HTTP authentication. Define them all and let's have a bake-off. It has been 16 years since HTTP auth was taken out of our hands so that the security experts could define something perfect. Zero progress so far. We should just define everything and let the security experts do what they do best -- find the holes and tell us what not to implement. ....Roy
Received on Sunday, 12 December 2010 22:39:53 UTC