- From: Nico Williams <nico@cryptonector.com>
- Date: Tue, 16 Jul 2013 12:34:02 -0500
- To: Amos Jeffries <squid3@treenet.co.nz>
- Cc: ietf-http-wg@w3.org
On Tue, Jul 16, 2013 at 7:54 AM, Amos Jeffries <squid3@treenet.co.nz> wrote: > *Every single claim* that HTTP-auth is broken and needs re-designing seems > to me to be based on the flawed assumption that HTTP-auth is not extensible > and that the common existing schemes are the only ones HTTP permits. Or that > somehow a user authenticating with N different and fragile mechanisms for > one transaction is a good thing (I rather disagree, the UX on that would be > tricky and implementation nightmares). That's either a strawman or you misunderstood the arguments against doing authentication in HTTP. It's not that "HTTP auth is broken", but that HTTP is the *wrong layer* -- that's not because HTTP or HTTP auth is broken, but because properties of the stack of protocols spoken make HTTP auth a problematic proposition. BTW, I've not see any arguments about N different mechanisms (fragile or not) being a problem. Nico --
Received on Tuesday, 16 July 2013 17:34:25 UTC