W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2011

Re: [kitten] [saag] HTTP authentication: the next generation

From: Robert Sayre <sayrer@gmail.com>
Date: Wed, 5 Jan 2011 20:28:08 -0500
Message-ID: <AANLkTimWZz-uOQ3whayCgAzHRXJLWh7qYjiqW7h8-MK7@mail.gmail.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Alexey Melnikov <alexey.melnikov@isode.com>, Yoav Nir <ynir@checkpoint.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, websec <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
> Peter Saint-Andre <stpeter@stpeter.im> wrote:
> 2. In 2007, Robert Sayre put together a few slides on the topic:
> http://people.mozilla.com/~sayrer/2007/auth.html

These are back on the Web, in case anyone missed them (probably not).

On Sun, Dec 12, 2010 at 5:39 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
> Define them all and let's have a bake-off.  It has been 16 years since
> HTTP auth was taken out of our hands so that the security experts could
> define something perfect.  Zero progress so far.

Hard to disagree with this assessment.

It's pretty easy to define something better than the current HTTP
authentication mechanisms, but pretty hard to design something more
popular than forms+cookies.

I've looked at this problem a little bit, and I gather the strictly
technical security properties we're looking for are pretty well
understood. Deployment and presentation control are the tough parts.
Presentation control is actually a security trade-off--to get the
control web designers want, you have to present graphics before the
server has been authenticated. Also, I suspect it will be difficult to
deploy a new HTTP mechanism that can withstand replay and DoS attacks,
unless proxy conformance gets a lot better. So, I think those
advocating TLS-only solutions might turn out to win the day, but not
because the security properties on offer are particularly compelling.

I think the IETF might do better to focus on a smaller problem, at
first. People often use self-signed certificates with HTTP/TLS, even
though the first thing their websites ask the user to do is type a
username and password into a form. There are some well-understood ways
to make this process more secure. Why hasn't the IETF fixed this
problem? If this smaller problem has no ready solution, then the
larger issue of authentication on the entire Web seems like a tough
nut to crack.

It could be that the reasons for this lack of progress are
nontechnical. Just throwing that out there.


Robert Sayre

"I would have written a shorter letter, but I did not have the time."
Received on Thursday, 6 January 2011 01:29:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:56 UTC