Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) from Stephen Farrell on 2012-02-21 (ietf-http-wg@w3.org from January to March 2012)

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Tue, 21 Feb 2012 22:53:12 +0000
To: Mark Nottingham <mnot@mnot.net>
CC: Julian Reschke <julian.reschke@gmx.de>, ietf-http-wg@w3.org, IETF-Discussion <ietf@ietf.org>, iesg@ietf.org
Message-ID: <4F442058.5070804@cs.tcd.ie>

On 02/21/2012 10:40 PM, Mark Nottingham wrote:
>
> On 22/02/2012, at 9:19 AM, Stephen Farrell wrote:
>

>> So as in my initial mail the 1st question here is, what
>> does "modern" mean in this draft charter? E.g. does it
>> mean "same as the current framework with different
>> bits" or something else? If so, what?
>
> As discussed off-list, I'd be happy to drop this phrase from *this* charter, in anticipation of it being worked out in discussions about the *next* one.

Well, I think the phrase does need to be replaced
by something else all right.

I'm reluctant to omit mention of security entirely
of course and do want to know what's gonna be done
for authentication in a putative HTTP/2.0.

Like I said, I'm pretty skeptical that any significant
change to security properties will be achievable at
that next charter stage.

>> And then should it include adding some new options
>> or MTI auth schemes as part of HTTP/2.0 or even looking
>> at that? (I think it ought to include trying for that
>> personally, even if there is a higher-than-usual risk
>> of failure.)
>
>
> Based on past experience, I think the risk is very high, and we don't need to pile any more risk onto this particular project.

Based on past experience the milestones for this will be
wildly optimistic and it'll really take five years so at
the end of 2017 we'll be right where we are in terms of
HTTP authentication for all of which time HTTP authentication
will be the "next thing" to do. (Ok, I'm exaggerating a
bit there.)

I think both experiences are valid.

> Also, most of the discussions about authentication and associated problems on the Web are *not* exclusive to HTTP or even protocol artefacts; they include concerns like UI and human factors, integration into hypertext, etc. As such, what we really need is a "whole of stack" focus on Web authentication; shoving it into this particular WG will, IMO, lead to a predictable failure.

It is true that many sites don't use HTTP authentication
for UI reasons. I don't think it follows that doing nothing
is the right approach. (Well, one could argue to remove all
user authentication from HTTP I guess - is that one of the
proposals?)

Cheers,
S.

Received on Tuesday, 21 February 2012 22:53:36 UTC