W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2011

Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation

From: Blaine Cook <romeda@gmail.com>
Date: Sat, 8 Jan 2011 17:29:29 -0800
Message-ID: <AANLkTimXTAZO8N4LMsxn=SYe8fjx3wjyoQVvrp7dAgad@mail.gmail.com>
To: "Zed A. Shaw" <zedshaw@zedshaw.com>, Blaine Cook <romeda@gmail.com>, Phillip Hallam-Baker <hallam@gmail.com>, Ben Laurie <benl@google.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, David Morris <dwm@xpasc.com>, websec <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 8 January 2011 11:49, Zed A. Shaw <zedshaw@zedshaw.com> wrote:
> On Sat, Jan 08, 2011 at 09:37:00AM -0800, Blaine Cook wrote:
> I don't normally respond, just being a lurker, but this statement is
> competely wrong Blaine.  OAuth may be used for more requests, but not
> more sites.  It's used on a tiny number of sites, with OpenID being used
> on way many more, and even then, not nowhere near the number of websites
> that form based authentication and browser authentication methods.
> Don't equate twitter having a ton of traffic to OAuth being some kind of
> raving success, and sure as hell don't evaluate the technical merits of
> something by its popularity.

Agreed - though, facebook is also using oauth-based (not 1.0, but
essentially the same approach) logins, and there are a number of other
sites that do provide oauth-based login infrastructure.

Moreover, the nudge towards oauth is intended with the movement
towards a new auth infrastructure in mind. We'd need some kind of
discovery / negotiation mechanism on top to make it not the
one-or-two-companies-own-the-web play that login-over-oauth is now.
(c.f. OpenID Connect).


> While I agree that TLS client side isn't going to work, none of the
> proposed authentication methods will work without a change to browsers
> to support a way for two websites to establish a session in the browser.
> If that feature existed you would cut down on a lot of the complexity of
> things like OpenID and OAuth.

Again, agreed. ;-)

for the record, I don't think that OAuth itself is a suitable
replacement for HTTP authorisation, but wanted to stir the pot,
especially away from overwrought technical solutions that don't
actually solve anyone's needs.

Received on Sunday, 9 January 2011 01:30:26 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:56 UTC