Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation from Ben Laurie on 2011-01-09 (ietf-http-wg@w3.org from January to March 2011)

From: Ben Laurie <benl@google.com>
Date: Sun, 9 Jan 2011 13:44:12 +0000
To: Blaine Cook <romeda@gmail.com>
Cc: "Zed A. Shaw" <zedshaw@zedshaw.com>, Phillip Hallam-Baker <hallam@gmail.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, David Morris <dwm@xpasc.com>, websec <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <AANLkTimFT5Ugss2_pGST0syiM1ByA_pKgmVodYwXF0qY@mail.gmail.com>

On 9 January 2011 01:29, Blaine Cook <romeda@gmail.com> wrote:
> On 8 January 2011 11:49, Zed A. Shaw <zedshaw@zedshaw.com> wrote:
>> On Sat, Jan 08, 2011 at 09:37:00AM -0800, Blaine Cook wrote:
>> I don't normally respond, just being a lurker, but this statement is
>> competely wrong Blaine.  OAuth may be used for more requests, but not
>> more sites.  It's used on a tiny number of sites, with OpenID being used
>> on way many more, and even then, not nowhere near the number of websites
>> that form based authentication and browser authentication methods.
>>
>> Don't equate twitter having a ton of traffic to OAuth being some kind of
>> raving success, and sure as hell don't evaluate the technical merits of
>> something by its popularity.
>
> Agreed - though, facebook is also using oauth-based (not 1.0, but
> essentially the same approach) logins, and there are a number of other
> sites that do provide oauth-based login infrastructure.
>
> Moreover, the nudge towards oauth is intended with the movement
> towards a new auth infrastructure in mind. We'd need some kind of
> discovery / negotiation mechanism on top to make it not the
> one-or-two-companies-own-the-web play that login-over-oauth is now.
> (c.f. OpenID Connect).
>
> b.
>
>> While I agree that TLS client side isn't going to work, none of the
>> proposed authentication methods will work without a change to browsers
>> to support a way for two websites to establish a session in the browser.
>> If that feature existed you would cut down on a lot of the complexity of
>> things like OpenID and OAuth.
>
> Again, agreed. ;-)
>
> for the record, I don't think that OAuth itself is a suitable
> replacement for HTTP authorisation, but wanted to stir the pot,
> especially away from overwrought technical solutions that don't
> actually solve anyone's needs.

Towards ones that are ripe for phishing and have no privacy
protections? I don't believe that's a good direction.

Received on Sunday, 9 January 2011 13:44:42 UTC