Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation from Zed A. Shaw on 2011-01-08 (ietf-http-wg@w3.org from January to March 2011)

From: Zed A. Shaw <zedshaw@zedshaw.com>
Date: Sat, 8 Jan 2011 11:49:52 -0800
To: Blaine Cook <romeda@gmail.com>
Cc: Phillip Hallam-Baker <hallam@gmail.com>, Ben Laurie <benl@google.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, David Morris <dwm@xpasc.com>, websec <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20110108194952.GS12542@zedshaw>

On Sat, Jan 08, 2011 at 09:37:00AM -0800, Blaine Cook wrote:
> Two points:
> 
> 1. In this entire thread, no-one has mentioned OAuth. Maybe y'all
> don't like it, but it's used to authenticate more HTTP requests by
> volume and users than everything-except-cookies combined. You may want
> to consider the design of OAuth when proceeding with these
> discussions, rather than the laundry list of [completely] failed
> protocols.

I don't normally respond, just being a lurker, but this statement is
competely wrong Blaine.  OAuth may be used for more requests, but not
more sites.  It's used on a tiny number of sites, with OpenID being used
on way many more, and even then, not nowhere near the number of websites
that form based authentication and browser authentication methods.

Don't equate twitter having a ton of traffic to OAuth being some kind of
raving success, and sure as hell don't evaluate the technical merits of
something by its popularity.

> 2. With respect to federated auth, especially using email address-like
> identifiers, there has been a bevy of (deployed) work in this regard.
> The effort is called webfinger, and is worth a look. Instead of DNS,
> we use host-meta based HTTP lookups to dereference the identifiers.
> Many diaspora and status.net installs are using it today, and there
> are several proposals towards building a security & privacy
> infrastructure on top of webfinger (webid is one such proposal whose
> incorporation of client-side TLS certificates in a browser context
> makes me very weary of its potential for success).

While I agree that TLS client side isn't going to work, none of the
proposed authentication methods will work without a change to browsers
to support a way for two websites to establish a session in the browser.
If that feature existed you would cut down on a lot of the complexity of
things like OpenID and OAuth.

-- 
Zed A. Shaw
http://zedshaw.com/

Received on Saturday, 8 January 2011 19:50:31 UTC