W3C home > Mailing lists > Public > public-identity@w3.org > June 2011

Re: [saag] [websec] [http-auth] re-call for IETF http-auth BoF

From: Josh Howlett <Josh.Howlett@ja.net>
Date: Fri, 17 Jun 2011 16:11:40 +0000
To: Nico Williams <nico@cryptonector.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
CC: "hallam@gmail.com" <hallam@gmail.com>, "http-auth@ietf.org" <http-auth@ietf.org>, "julian.reschke@gmx.de" <julian.reschke@gmx.de>, "public-identity@w3.org" <public-identity@w3.org>, "saag@ietf.org" <saag@ietf.org>, "websec@ietf.org" <websec@ietf.org>
Message-ID: <CA213642.20890%josh.howlett@ja.net>
On 17/06/2011 16:25, "Nico Williams" <nico@cryptonector.com> wrote:
>On Fri, Jun 17, 2011 at 3:38 AM, Peter Gutmann
><pgut001@cs.auckland.ac.nz> wrote:
>> Nico Williams <nico@cryptonector.com> writes:
>>>Shall we have just one authentication mechanism?
>>
>> *If* the idea is to specify a new auth mechanism and *if* it's for
>>browsers
>> and similar devices, I'd just say "Use EAP with X", it's been studied
>>and
>> spec'd to death, there's lots of implementations, it's pretty simple to
>>do,
>> etc.
>
>CHeck out what ABFAB WG is doing then!  ;)

Just by way of information for Peter's benefit, we have an ABFAB
implementation -- and we've demonstrated ABFAB-based EAP authentication
with Firefox and Apache by leveraging their existing support for the HTTP
Negotiate scheme.

I also agree with Peter's argument, although there are other benefits to
EAP that he doesn't mention. It supports a diverse range of authentication
methods, which means that deployers are not required to use a particular
type of credential - they can use whatever type of credential best suits
their needs.

In addition, with EAP Pass-Through the web server does not need to
understand the credential technology being presented by the user; the web
server can be entirely agnostic with respect to the credential technology
being used by EAP (modulo some basic security properties that enable GSS
magic to happen).

>>>at the application layer and in a RESTful way:
>>
>> I would really, *really* prefer to not invent another auth mechanism.
>>There'd
>> have to be a pretty strong argument to not use what we've already got.
>>I
>> happen to like EAP because it's simple, already spec'd out for lots of
>>things
>> (including cellphones via SIMs and other non-browser devices), and you
>>can
>> just say "use this", as long as "this" is profiled a bit to be
>>something more
>> specific than "any EAP mechanism you feel like".
>
>Ah, but I'm not proposing that we invent any new mechanisms.  Mind
>you, I'd not mind more mechanism choices, but I'm not proposing new
>ones.  I'm proposing a way to use the set of mechanisms we have in
>HTTP without modifying HTTP nor TLS.

Nico's proposal definitely adds significant value to EAP (ABFAB) based
authentication, relative to transport-bound Negotiate. I would like to see
GSS REST happen.

Josh.




JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
Received on Sunday, 19 June 2011 00:40:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 June 2011 00:40:39 GMT