Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) from Yoav Nir on 2012-02-24 (ietf-http-wg@w3.org from January to March 2012)

From: Yoav Nir <ynir@checkpoint.com>
Date: Fri, 24 Feb 2012 22:17:14 +0000
To: Paul Hoffman <paul.hoffman@vpnc.org>
CC: Stephen Farrell <stephen.farrell@cs.tcd.ie>, IETF-Discussion Discussion <ietf@ietf.org>, The IESG <iesg@ietf.org>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <A8ECD869-385D-4D3D-BD4F-A19F96ACE031@checkpoint.com>

On Feb 24, 2012, at 5:02 PM, Paul Hoffman wrote:

> On Feb 24, 2012, at 4:54 AM, Stephen Farrell wrote:
> 
>>> "Proposals for new HTTP authentication schemes are in scope."
>> 
>> How would a plan like the following look to folks:
>> 
>> - httpbis is chartered to include auth mechanism work as
>> per the above (or whatever text goes into the charter)

<snip/>

>> 
>> Might that be a way forward that'll give enough folks
>> enough of what they want/need?
> 
> 
> It would, but I would like to give a counter-proposal that I think will use people's different talents better:
> 
> - new wg on developing http authentication mechanisms is chartered soon (BoF in Paris); call it the ham wg
> - httpbis is chartered to follow the work of the ham wg and is required to make sure that the authentication framework in http 2.0 works for as many of the proposals from the ham wg as possible
> - ham wg is responsible for most of what you list above
> - http2.0 document says "the mandatory to implement auth mechanisms are named in that RFC over there", which comes from the ham wg
> 
> There will be overlap in wg membership, but not nearly as much as would be needed for your proposal.

I like the idea, but there is always the danger of the HAM working group either getting stuck with multiple non-interoperable proposals like we've seen at IPsecME with the PAKE work.

There is also the possibility of getting stuck with conflicting requirements. For example, there will be a need to use existing user databases (RADIUS/DIAMETER servers, LDAP directories), but that is hard to reconcile with the preference for ZKPs.

I'm not really worried, because HTTP/2.0 is bound to take a long time, and there will be plenty of opportunity for chair and ADs to step in and intervene if the wg actually does that.

On a more technical note, we are 12 days past the cutoff date for new BoF session requests, so it's probably too late for a BoF in Paris. 

Yoav

Received on Monday, 27 February 2012 09:38:16 UTC