Re: Straw-man charter for http-bis -- call for errata/clarifications to 2617 from Leif Johansson on 2007-06-01 (ietf-http-wg@w3.org from April to June 2007)

From: Leif Johansson <leifj@it.su.se>
Date: Fri, 01 Jun 2007 08:15:28 +0200
To: Paul Leach <paulle@windows.microsoft.com>
CC: Henrik Nordstrom <henrik@henriknordstrom.net>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Cyrus Daboo <cyrus@daboo.name>, ietf-http-wg@w3.org
Message-ID: <465FB980.709@it.su.se>

Paul Leach wrote:
>
> -----Original Message-----
> From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net] 
> Sent: Thursday, May 31, 2007 3:12 PM
> To: Paul Leach
> Cc: Eric Lawrence; Cyrus Daboo; ietf-http-wg@w3.org
> Subject: RE: Straw-man charter for http-bis -- call for
> errata/clarifications to 2617
>
> tor 2007-05-31 klockan 14:54 -0700 skrev Paul Leach:
>
>   
>> 1. The requirements (use of connection-keep-alive, proxy issues, etc) 
>> for secure use of per-connection authentication could be described in 
>> 2617bis.  AFAIK, these could reflect some actual implementation 
>> experience.
>>     
>
> Connection oriented authentication requires support in the base HTTP
> specs for such schemes, as it has far going implications on transport
> and message requirements.
> [Paul Leach] Since I think people safely use it today, I don't think any
> additions are needed. At least when no proxy server is involved -- I
> forget the trick used to make sure that proxies preserve connection
> semantics before relying on Kerb/SPNEGO when using a proxy. It may be
> that they won't be used if a proxy is involved.
>
> Would be more fruitful to rework NTLM/Negotiate to fit in the HTTP
> message model I think, operating somewhat similar in principle (but
> obviously not algorithm) to Digest MD5-sess with a virtual session
> identifier separate from the transport connection.
> [Paul Leach] That was what my second suggestion from the message, part
> of which you quoted above, was about. I guess it wasn't clear enough. 
>
> It would be a better approach, but it would still be pretty helpful to
> tell people how to interop with the existing approach. 
>
>
>   

I guess I tried to address at least some of these concerns in my
drafts
http://www.ietf.org/internet-drafts/draft-johansson-http-tls-cb-01.txt
and http://www.ietf.org/internet-drafts/draft-johansson-http-gss-01.txt

Based on (and intended to be at least culturally compatible with) Negotiate
this mechanism doesn't alter the fundamental nature of what constitutes
an HTTP authentication mechanism (imho) but still introduces a connection
identifier of sorts based on the notion of channel bindings.

    Cheers Leif

Received on Friday, 1 June 2007 06:15:31 UTC