Re: [apps-discuss] HTTP authentication: the next generation

• From: Mark Nottingham <mnot@mnot.net>
• Date: Sat, 11 Dec 2010 10:06:00 +1100
• To: Peter Saint-Andre <stpeter@stpeter.im>
• Cc: http-auth@ietf.org, "kitten@ietf.org" <kitten@ietf.org>, websec@ietf.org, saag@ietf.org, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
• Message-Id: <52E9BD81-E64B-47DA-83FC-C820B15D8B18@mnot.net>

There was a very well-attended and wide-ranging bar BoF in Vancouver, and lots of background discussion (/noise).

My impression at that point was that the use cases that people wanted to put into scope were so diverse, and the requirements so exacting, that it was a non-starter. 

That may still be the case, and I think that without a concrete target, starting the discussion again will ultimately just waste a lot of engineer hours*.

Having said that -- since we now have OAuth shaving off some of those use cases, it may be that a purely browsing-focused authentication mechanism might be able to get traction, provided we can get browser vendors on board (naturally). I'd expect them to instigate this, however.

Cheers,

* Waste, of course, is subjective. A cynical person would think that the opportunity cost of having a bunch of standards people working on something non-productive could, in the end, be a useful diversion. However, I'm not that person, because I'm not thinking it, I'm saying it. But I digress.



On 11/12/2010, at 9:53 AM, Peter Saint-Andre wrote:

> Is it time to start thinking about next-generation authentication
> technologies for HTTP?
> 
> We all know that BASIC and DIGEST are ancient and crufty and lacking
> many features and security properties we might want, but there hasn't
> been much discussion about more modern approaches. Here are a few things
> I've found:
> 
> 1. Way back in 2001, Keith Burdis wrote an I-D about upgrading to SASL
> within HTTP: http://tools.ietf.org/id/draft-burdis-http-sasl-00.txt
> 
> 2. In 2007, Robert Sayre put together a few slides on the topic:
> http://people.mozilla.com/~sayrer/2007/auth.html
> 
> 3. Yutaka Oiwa and his colleagues have been working on a protocol for
> mutual auth: http://tools.ietf.org/html/draft-oiwa-http-mutualauth-08
> 
> Other than that, I'm not aware of much activity. What have I missed?
> Does it make sense to perhaps hold an exploratory BoF at the next IETF
> meeting (Prague, March 2011) to get people thinking about this topic?
> 
> If you're interested, please discuss on the http-auth@ietf.org list:
> 
> https://www.ietf.org/mailman/listinfo/http-auth
> 
> Thanks!
> 
> Peter
> 
> -- 
> Peter Saint-Andre
> https://stpeter.im/
> 
> 
> 
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss

--
Mark Nottingham   http://www.mnot.net/

Received on Friday, 10 December 2010 23:06:34 UTC