Re: Authentication and TCP Connection State from Michael B Allen on 2014-10-04 (ietf-http-wg@w3.org from October to December 2014)

From: Michael B Allen <ioplex@gmail.com>
Date: Sat, 4 Oct 2014 14:03:11 -0400
To: ietf-http-wg@w3.org
Message-ID: <CAGMFw4hT-Cd6ZDPqhqS_28VOSsbV2soBAwtr9YndSrp=6Mvo6g@mail.gmail.com>

On Sat, Oct 4, 2014 at 5:02 AM, Julian Reschke
<julian.reschke@greenbytes.de> wrote:
> Hm, no. HTTP authentication is stateless, the server doesn't need to
> associate it with a life connection. Unless you're talking about the weirdo
> NTLM, which never should have been approved as HTTP authentication scheme.

What's more "weirdo":

a) Use IPsec or TLS to get a secure TCP connection and then HTTP
clients and servers just have to authenticate the TCP connection (and
they can skip TLS if they're satisifed that clients are not being
directed through a compromised proxy).

OR

b) Require HTTP clients and servers build security on top of HTTP
which involves peforming authentication using the Auth-ID mechanism in
draft-montenegro-httpbis-multilegged-auth and then separately either
compute and submit a crypto token for every single request or get a
secure TCP connection so that you can safely store auth state in the
session.

Outside of corporate IntrAnets people are not going to do option b. So
everyone on the Internet is just going to continue to construct their
own auth scheme on top of HTTPS and process plaintext passwords on the
server. That is bad.

And now with multiplexing the client could submit multiple requests
only to find authentication is required which could lead to some at
least awkward if not highly inefficient scenarios.

Note that Kerberos doesn't actually do authentication entirely over
HTTP. The client authenticates separately with a 3rd server using an
entirely different protocol and then it only submits a service ticket.
It is only because of this that Kerberos does not require Keep-Alive.

And the "nonce" in Digest authentication serves the same function as
the Auth-ID in multilegged auth so Digest is really multilegged.

So I suppose my point is that since HTTP is stateless, it cannot
support any kind of real authentication at all without the Auth-ID
mechanism.

Maybe everyone understands this already and I'm just now realizing
that HTTP has totally punted authentication.

I suppose it could be thought of as a positive thing because it will
create a lot of work and jobs.

Received on Saturday, 4 October 2014 18:03:38 UTC