Re: [ietf-http-auth] HTTP Mutual-auth proposal status / HTTP AUTH meet-up in Anaheim? from Yutaka OIWA on 2010-01-06 (public-web-security@w3.org from January 2010)

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Wed, 06 Jan 2010 15:27:21 +0900
To: Thomas Broyer <t.broyer@gmail.com>
Cc: public-web-security@w3.org
Message-ID: <87fx6jeoja.fsf@bluewind.rcis.aist.go.jp>

Thomas Broyer <t.broyer@gmail.com> writes:

> Try it here:
> http://www.ltgt.net/tests/http-cookie-auth/www-authenticate-in-200.asis
(...)
> *All* of them display the response body without prompting for credentials.

Thank you for the valuable information.
Anyway, as my proposal will not be standard today, so
we will have enough time to have surveys and make a consensus
how optional authentication should be encoded to HTTP.

Regarding Optional header, I still prefer and propose to explicitly
state it optional in the keyword, which I feel it clearer.  But if
there is a consensus among all HTTP key-players (IETF, servers and
browsers vendors) (it is needed for us so that implementations will
never change their implementation in a conflicting way), I will just
follow it.  Mine is just an alternative proposal.

> Well, I actually don't really understand the need for
> location-when-authenticated in Mutual-auth; why isn't the page
> returned in the 401 response body? (to save bytes in a transition
> phase from Basic/Digest? not really a compelling argument...)

Our second goal is to accept all web applications using custom
authentication mechanisms without heavy modification (so that we will
eliminate form-based authentication in a future).  As just a better
HTTP authentication replacing Basic and Digest, there will not be
needed.  But there are plenty of existing use cases (currently using
forms and cookies for authentication) where applications want to force
a single access path for logging in, so we need to support it.

>> # Do you plan to go Anaheim?
>
> Oh no; I'm doing all of this on my spare time (as a hobby if you
> prefer), so nobody would fund the transport and hotel for me ;-)

Sad to hear it, and I wish to have another chance.

More follow-up will be later.

Regards,

-- 
Yutaka OIWA, Ph.D.                                       Research Scientist
                            Research Center for Information Security (RCIS)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

Received on Wednesday, 6 January 2010 06:27:56 UTC