Re: HTTP2 Expression of Interest

On Fri, Jul 13, 2012 at 1:24 PM, Nico Williams <nico@cryptonector.com> wrote:
> On Fri, Jul 13, 2012 at 12:37 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
>> I really dislike the idea of having a platform inside a platform
>>
>> TLS is way too big for comfort. GSSAPI has mechanism on mechanism.
>
> I'm not sure I understand.  The GSS-API is just an API.

Which makes it a non-starter as HTTP is a protocol. How does a
protocol interact with an API?

> It defines a
> tiny bit of protocol.  To give you an idea of just how little
> "mechanism on mechanism" the GSS-API has just consider the fact that
> SSPI is teh interface to TLS on Windows, and that the GSI TLS
> mechanism for GSS is wire-compatible with TLS even though it's being
> invoked from the GSS-API!

I have no way to parse or make sense of what you are trying to say.

A protocol and an API are two different things.

If its not bits on the wire or describing the state at either end then
it isn't a protocol and if it isn't a protocol it has no place in HTTP
spec.


>> I don't want a choice of fifty ways to authenticate. I want exactly
>> one mechanism to support each type of authentication. I certainly
>
> Good luck coming up with a single mechanism that works on an Internet
> scale, on corporate networks, with BYOD, with IT-managed desktops, ..
> and that meets the requirements of all those involved.  And as if that
> were not hard enough, you'll have to come up with one mechanism that
> manages to use the existing infrastructures that people already have
> or else makes it real economic (read: *CHEAP*) to replace those.

Been there, done that. I was editor of SAML 1.0. I think I know the
range of complexity out there.

But HTTP 2.0 should not be SAML either. We have an opportunity here to
address the central problems that SAML, OpenID and OAUTH have to work
around all the time.


> I think we need protocols that work with the types of credentials that
> people have *already* deployed, whether those be smartcards,
> passwords, OTPs, two-factor, or whether the infrastructures be based
> on RADIUS, Kerberos, ...
>
> There are large investments in these things already made.

Nowhere near as large as the investment in HTTP and we are proposing
to change that.


-- 
Website: http://hallambaker.com/

Received on Friday, 13 July 2012 17:40:36 UTC