W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: [kitten] [saag] HTTP authentication: the next generation

From: Roy T. Fielding <fielding@gbiv.com>
Date: Sun, 12 Dec 2010 14:39:23 -0800
Cc: Yoav Nir <ynir@checkpoint.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, websec <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <2230EA03-32C5-4D34-BC6B-304E813BE3A7@gbiv.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
On Dec 12, 2010, at 10:40 AM, Alexey Melnikov wrote:

> Yoav Nir wrote:
> 
>> EAP has one advantage. It is easy to integrate with existing RADIUS/DIAMETER infrastructure.
>> 
> True.
> And SASL has an advantage that it is easier to integrate with LDAP infrastructure.
> 
> I think this just demonstrates that before an HTTP authentication mechanism can be evaluated, people need to agree on a common evaluation criteria for HTTP authentication.

Define them all and let's have a bake-off.  It has been 16 years since
HTTP auth was taken out of our hands so that the security experts could
define something perfect.  Zero progress so far.  We should just define
everything and let the security experts do what they do best -- find the
holes and tell us what not to implement.

....Roy
Received on Sunday, 12 December 2010 22:39:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:34 GMT