W3C home > Mailing lists > Public > public-identity@w3.org > June 2011

Re: [saag] [websec] [http-auth] re-call for IETF http-auth BoF

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Wed, 15 Jun 2011 07:46:33 +0900
Message-ID: <BANLkTi=PTXc_VxFsyyUB75X3=fH1ymPYTQ@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: public-identity@w3.org, http-auth@ietf.org
2011/6/15 Nico Williams <nico@cryptonector.com>:
> On Mon, Jun 13, 2011 at 11:59 PM, Peter Gutmann
> <pgut001@cs.auckland.ac.nz> wrote:
>> Phillip Hallam-Baker <hallam@gmail.com> writes:
>>>what would we want HTTP authentication to look like?
>>
>> I have a suggestion for what it shouldn't look like: Any method that hands
>> over the password (or a password-equivalent like a password in hashed form) as
>> current browsers do should be banned outright, and anyone who implements
>> hand-over-the-password should killed and eaten to prevent them from passing on
>> the genes.
>
> +1.

+1, although the original statement is a bit too strong in wording for me :-)

>  - Is this to be done in TLS?  HTTP?  Or at the application-layer?
>
> IMO: TLS is too low a layer to do authentication in, and doing it in
> HTTP would require retrofitting too many HTTP stacks.  Doing it at the
> application layer has a number of advantages.

IMO, I agree that TLS is too low.
However, although the application layer use-case exists,
I believe that for general use cases HTTP-auth layer is more appropriate,
because the trust relationship becomes much simpler.

Backward-compatibility is important, and all intermediates *should* and
*in most cases will* work well with new http authentication
that completely complies with existing HTTP auth framework design.
All they've needed is just forward auth-related headers to the origin server.
We've done some experiment around my proposal,
and it worked quite well with all existing stacks,
including proxies, "SSL accelerators" and load balancers.
(Yes, we've carefully designed the protocol so that it can work in this way.)
Do you need some more detail on it?

Required code modification is almost the same magnitude in both cases,
because we need to change the client, and to add some server-side thing.
we can keep all other intermediates as it is.
Some client-side change is necessary in both cases to make mutual
authentication trustful and unforgeable.
In server-side, http-layer authentication can be implemented in either
in the server or in the application.
Received on Tuesday, 14 June 2011 22:47:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 14 June 2011 22:47:07 GMT