Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Feb 23, 2012, at 5:13 PM, Roy T. Fielding wrote:

> I don't care how much risk it adds to the HTTP charter.  They are
> all just meaningless deadlines anyway.  If we want HTTP to have
> something other than Basic (1993) and Digest (1995) authentication,
> then it had better be part of *this* charter so that the proposals
> can address them.


If only it were that simple. If the answer is "design an HTTP auth mechanism that is better than Digest", then this is a tractable goal. If it is "get IETF consensus on that auth mechanism", then it isn't. The latter has proven to be impossible because people say (possibly rightly) that web developers don't want auth mechanisms that use the browser chrome: they want auth in HTML, and anything that relies on the browser chrome is insufficient.

Notice how the topic changed from "HTTP" to "web" for the security discussion but not for the httpbis charter discussion? That topic-change has derailed the HTTP authentication discussions at recent (and not-so-recent) IETF meetings.

If the charter has "develop HTTP authentication mechanisms beyond Digest", that's great: we already have seen about five proposals in the past few years for those, some of them with security analyses. If the charter says "...and specify one that is mandatory to implement", that seems prone to consensus failure because of religion about zero-knowledge proofs versus operational simplicity, but I would be overjoyed to be wrong about that.

--Paul Hoffman

Received on Friday, 24 February 2012 01:24:15 UTC