HTTP2 Expression of Interest

Greetings again. I am not an implementer or a deployer. I am making
this statement of interest as Just Some Person. Please take these
comments in that light relative to those from implementers and

Given what we know about users inability to choose good passwords and
their lack of ability to use good passwords that are chosen for them,
it is incredibly important that a non-password authentication
mechanism be described for HTTP 2. Thus, I support HOBA or something
HOBA-like. The HOBA proposal as it stands has a lot of significant
issues, but the idea of portable origin-bound certificates for HTTP
clients is the correct way to do non-password authentication for HTTP.
draft-williams-rest-gss relies on GSSAPI, which has thin adoption even
after many years. draft-montenegro-httpbis-multilegged-auth is an
interesting way to get non-password authentication (and NTLM!) into
HTTP, but I suspect that not having a mandatory authentication
mechanism that is widely supported will mean that this document will
go unimplemented.

At least one password-based authentication mechanism should also be
standardized for HTTP 2. Of these, draft-oiwa-httpbis-mutualauth and
draft-oiwa-httpbis-auth-extension seem to solve more of the problems
with passwords than draft-melnikov-httpbis-scram-auth.

I am willing to contribute to and review proposals for non-password
authentication. I am willing to provide a bit of late review to a
password-based proposal.

--Paul Hoffman

Received on Friday, 13 July 2012 02:22:49 UTC