Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) from Mark Nottingham on 2012-02-21 (ietf-http-wg@w3.org from January to March 2012)

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 22 Feb 2012 09:55:41 +1100
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Julian Reschke <julian.reschke@gmx.de>, ietf-http-wg@w3.org, IETF-Discussion <ietf@ietf.org>, iesg@ietf.org
Message-Id: <8F042342-7C6A-4ED4-9A67-591644D3D5D6@mnot.net>

Stephen, 

The approach we're advocating for this WG is to solicit well-formed proposals, select one and develop it. 

If there isn't one for HTTP authentication, how are you advocating we proceed?

Regards,



On 22/02/2012, at 9:53 AM, Stephen Farrell wrote:

> 
> 
> On 02/21/2012 10:40 PM, Mark Nottingham wrote:
>> 
>> On 22/02/2012, at 9:19 AM, Stephen Farrell wrote:
>> 
> 
>>> So as in my initial mail the 1st question here is, what
>>> does "modern" mean in this draft charter? E.g. does it
>>> mean "same as the current framework with different
>>> bits" or something else? If so, what?
>> 
>> As discussed off-list, I'd be happy to drop this phrase from *this* charter, in anticipation of it being worked out in discussions about the *next* one.
> 
> Well, I think the phrase does need to be replaced
> by something else all right.
> 
> I'm reluctant to omit mention of security entirely
> of course and do want to know what's gonna be done
> for authentication in a putative HTTP/2.0.
> 
> Like I said, I'm pretty skeptical that any significant
> change to security properties will be achievable at
> that next charter stage.
> 
>>> And then should it include adding some new options
>>> or MTI auth schemes as part of HTTP/2.0 or even looking
>>> at that? (I think it ought to include trying for that
>>> personally, even if there is a higher-than-usual risk
>>> of failure.)
>> 
>> 
>> Based on past experience, I think the risk is very high, and we don't need to pile any more risk onto this particular project.
> 
> Based on past experience the milestones for this will be
> wildly optimistic and it'll really take five years so at
> the end of 2017 we'll be right where we are in terms of
> HTTP authentication for all of which time HTTP authentication
> will be the "next thing" to do. (Ok, I'm exaggerating a
> bit there.)
> 
> I think both experiences are valid.
> 
>> Also, most of the discussions about authentication and associated problems on the Web are *not* exclusive to HTTP or even protocol artefacts; they include concerns like UI and human factors, integration into hypertext, etc. As such, what we really need is a "whole of stack" focus on Web authentication; shoving it into this particular WG will, IMO, lead to a predictable failure.
> 
> It is true that many sites don't use HTTP authentication
> for UI reasons. I don't think it follows that doing nothing
> is the right approach. (Well, one could argue to remove all
> user authentication from HTTP I guess - is that one of the
> proposals?)
> 
> Cheers,
> S.
> 
> 

--
Mark Nottingham
http://www.mnot.net/

Received on Tuesday, 21 February 2012 22:56:08 UTC