- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Thu, 23 Feb 2012 17:13:53 -0800
- To: Peter Saint-Andre <stpeter@stpeter.im>
- Cc: Paul Hoffman <paul.hoffman@vpnc.org>, The IESG <iesg@ietf.org>, IETF-Discussion <ietf@ietf.org>, ietf-http-wg@w3.org
On Feb 22, 2012, at 9:39 AM, Peter Saint-Andre wrote: > On 2/22/12 10:31 AM, Paul Hoffman wrote: >> The earnest calls for better authentication on this thread appear to >> ignore the fact that the very things that are being requested were >> put out of scope for the websec WG in their charter. I hope that no >> one things that a WG in the Applications Area will be better equipped >> to come up with a better authentication mechanism than one in the >> Security Area. > > The WebSec WG is in the Applications Area. > >> Asking the HTTPheads to guess what the securityheads might want is >> not a good way to design HTTP 2.0. > > Probably not. > >> Proposal: leave the httpbis WG charter as-is and re-charter the >> websec WG to consider what is needed in the HTTP authentication >> model. Later, recharter the websec WG to, you know, actually do the >> security work for authentication. > > Or charter a separate WG to focus on HTTP authentication. (You might > recall that the BoF leading to formation of the WebSec WG was entitled > HASMAT = "HTTP Application Security Minus Authentication and Transport" > or somesuch.) Please understand that this exact same discussion was had in 1994 and the IESG decided that the applications area couldn't possibly do this work on their own, so they created a security area working group to handle it. That HTTP Security group, which was dominated by folks who did not have any implementations of HTTP, decided to ignore the problem for which they were chartered and instead invented SHTTP. More importantly, the effect of that decision was that the people who get work done at the IETF were prevented from improving HTTP's auth mechanisms because it was out of scope, while the people who had it in scope had no corresponding incentive to get it DONE. Every time this topic comes up, people want to shove it off to some other working group that is somehow going to magically get off its collective ass and do real work. Why? It doesn't work. It never has worked. We've gone through four iterations now of revising HTTP, each one starting off with the same discussion, and each one concluding that auth would be better owned by someone else. There is nobody else. How many times do we have to do this before we declare insanity? I don't care how much risk it adds to the HTTP charter. They are all just meaningless deadlines anyway. If we want HTTP to have something other than Basic (1993) and Digest (1995) authentication, then it had better be part of *this* charter so that the proposals can address them. ....Roy
Received on Friday, 24 February 2012 01:14:10 UTC