- From: Nico Williams <nico@cryptonector.com>
- Date: Fri, 13 Jul 2012 12:24:02 -0500
- To: Phillip Hallam-Baker <hallam@gmail.com>
- Cc: Paul Hoffman <paul.hoffman@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Fri, Jul 13, 2012 at 12:37 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote: > I really dislike the idea of having a platform inside a platform > > TLS is way too big for comfort. GSSAPI has mechanism on mechanism. I'm not sure I understand. The GSS-API is just an API. It defines a tiny bit of protocol. To give you an idea of just how little "mechanism on mechanism" the GSS-API has just consider the fact that SSPI is teh interface to TLS on Windows, and that the GSI TLS mechanism for GSS is wire-compatible with TLS even though it's being invoked from the GSS-API! > I don't want a choice of fifty ways to authenticate. I want exactly > one mechanism to support each type of authentication. I certainly Good luck coming up with a single mechanism that works on an Internet scale, on corporate networks, with BYOD, with IT-managed desktops, .. and that meets the requirements of all those involved. And as if that were not hard enough, you'll have to come up with one mechanism that manages to use the existing infrastructures that people already have or else makes it real economic (read: *CHEAP*) to replace those. I think we need protocols that work with the types of credentials that people have *already* deployed, whether those be smartcards, passwords, OTPs, two-factor, or whether the infrastructures be based on RADIUS, Kerberos, ... There are large investments in these things already made. Nico --
Received on Friday, 13 July 2012 17:24:25 UTC