RE: Security Requirements for HTTP, draft -00 from Mike Dierken on 2008-02-03 (ietf-http-wg@w3.org from January to March 2008)

From: Mike Dierken <dierken@gmail.com>
Date: Sun, 3 Feb 2008 12:20:25 -0800
To: "'Robert Sayre'" <rsayre@mozilla.com>, <ietf-http-wg@w3.org>
Message-ID: <002401c866a2$3652a4a0$0201a8c0@mercury>

 
Would it be helpful to group the security requirements in the document into
'browser-like' use cases and 'automation-like' use cases and ensure that
both sets are considered consistently?


  _____  

From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] On
Behalf Of Robert Sayre
Sent: Saturday, February 02, 2008 10:11 PM
To: ietf-http-wg@w3.org
Subject: Re: Security Requirements for HTTP, draft -00





Not even close.  Regular old HTTP authentication requests outnumber
browser-driven forms-based use of the Web (on a per request basis)
by an order of magnitude.  


I agree that the draft is skewed towards browser-like use cases, and some
statements don't apply to automated traffic. I also think browser-like
traffic is where HTTP authentication as currently implemented is pretty
useless, and worth focusing on. 




The opinions stated in the draft are wrong and do nothing but obscure
the mechanisms that are supposed to be described. 


Disagree. The purpose of the draft is not to describe the mechanisms in high
detail. It's also OK to have unsubstantiated claims in a working document,
as long as they are taken care of before publication. Removing the
quantitative claims would probably avoid a lot of boring finger wagging IETF
mail, so I agree they should go.


 I suggest you remove
them and rely more on actual examples of authentication as used in HTTP.


One concrete data point would be that Amazon AWS traffic (some of which uses
their custom HTTP auth scheme) has surpassed the traffic of Amazon.com.
OTOH, it might be that more GET requests to Amazon.com are FBA-customized,
while most of the GET requests to AWS are not authenticated. Would love some
actual data. 


A lot of the stuff heard at an IETF meeting is simply old wives tales
retold by folks who don't build application services, let alone the
services that use HTTP.  They should not be relied upon for this draft.


That isn't the source material for this document, but I'm glad you enjoy the
meetings.

To me, HTTP authentication is the stuff that's ineffectively presented in
the browser, but not worth fixing, because the existing schemes aren't
useful. The draft is trying to determine why that is.


It doesn't make any difference either way.  The notion that  
authenticated HTTP requests are almost entirely based on FBA is absurd.
It ignores the fact that most HTTP requests aren't even made by browsers.


Yes, there may be a large amount of traffic using HTTP Authentication in
applications that are difficult to observe. They might even get good
scalability, compatibility, and security properties from it. I don't care
about them, but I don't object to language that makes their existence known.

- Rob

Received on Sunday, 3 February 2008 20:20:35 UTC