Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Feb 22, 2012, at 9:39 AM, Peter Saint-Andre wrote:

> On 2/22/12 10:31 AM, Paul Hoffman wrote:
>> The earnest calls for better authentication on this thread appear to
>> ignore the fact that the very things that are being requested were
>> put out of scope for the websec WG in their charter. I hope that no
>> one things that a WG in the Applications Area will be better equipped
>> to come up with a better authentication mechanism than one in the
>> Security Area.
> 
> The WebSec WG is in the Applications Area.
> 
>> Asking the HTTPheads to guess what the securityheads might want is
>> not a good way to design HTTP 2.0.
> 
> Probably not.
> 
>> Proposal: leave the httpbis WG charter as-is and re-charter the
>> websec WG to consider what is needed in the HTTP authentication
>> model. Later, recharter the websec WG to, you know, actually do the
>> security work for authentication.
> 
> Or charter a separate WG to focus on HTTP authentication. (You might
> recall that the BoF leading to formation of the WebSec WG was entitled
> HASMAT = "HTTP Application Security Minus Authentication and Transport"
> or somesuch.)

Please understand that this exact same discussion was had in 1994 and
the IESG decided that the applications area couldn't possibly do this
work on their own, so they created a security area working group to
handle it.  That HTTP Security group, which was dominated by folks who
did not have any implementations of HTTP, decided to ignore the problem
for which they were chartered and instead invented SHTTP.

More importantly, the effect of that decision was that the people who
get work done at the IETF were prevented from improving HTTP's auth
mechanisms because it was out of scope, while the people who had it
in scope had no corresponding incentive to get it DONE.

Every time this topic comes up, people want to shove it off to some
other working group that is somehow going to magically get off its
collective ass and do real work.  Why?  It doesn't work.  It never
has worked.  We've gone through four iterations now of revising HTTP,
each one starting off with the same discussion, and each one concluding
that auth would be better owned by someone else.

There is nobody else.

How many times do we have to do this before we declare insanity?
I don't care how much risk it adds to the HTTP charter.  They are
all just meaningless deadlines anyway.  If we want HTTP to have
something other than Basic (1993) and Digest (1995) authentication,
then it had better be part of *this* charter so that the proposals
can address them.

....Roy

Received on Friday, 24 February 2012 01:14:10 UTC