W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: draft-mbelshe-httpbis-spdy-00: auth schemes

From: Mike Belshe <mike@belshe.com>
Date: Mon, 26 Mar 2012 23:42:32 +0200
Message-ID: <CABaLYCu-M98ruPiATPpQgrmSv3LQRt=m-T4Tucoo69bumDAm4g@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Mar 20, 2012 at 9:38 PM, Julian Reschke <julian.reschke@gmx.de>wrote:

> Hi,
> <http://tools.ietf.org/html/**draft-mbelshe-httpbis-spdy-00#**
> section-3.2.3<http://tools.ietf.org/html/draft-mbelshe-httpbis-spdy-00#section-3.2.3>>
> mentions:
>   There are four options for proxy authentication, Basic, Digest, NTLM
>   and Negotiate (SPNEGO).  The first two options were defined in
>   RFC2617 [RFC2617], and are stateless.  The second two options were
>   developed by Microsoft and specified in RFC4559 [RFC4559], and are
>   stateful; otherwise known as multi-round authentication, or
>   connection authentication.
> But as far as I can tell, RFC 4559 only defines "Negotiate", not "NTLM".
> (Asking because of <http://greenbytes.de/tech/**webdav/draft-ietf-httpbis-
> **authscheme-registrations-03.**html<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-authscheme-registrations-03.html>
> >...)

Maybe you're right.  The title of RFC4559 is a little misleading:

"SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows"

The reason connection-based auth schemes are problematic in spdy is because
you can put two requests on the wire concurrently.  If each comes back with
its own challenge, the negotiation gets confused.  Further, when we're
trying to put more requests on the same connection, as SPDY does, the
connection-tied auth becomes very brittle.


> Best regards, Julian
Received on Monday, 26 March 2012 21:43:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:01 UTC