- From: Paul Hoffman <paul.hoffman@gmail.com>
- Date: Thu, 12 Jul 2012 19:22:22 -0700
- To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Greetings again. I am not an implementer or a deployer. I am making this statement of interest as Just Some Person. Please take these comments in that light relative to those from implementers and deployers. Given what we know about users inability to choose good passwords and their lack of ability to use good passwords that are chosen for them, it is incredibly important that a non-password authentication mechanism be described for HTTP 2. Thus, I support HOBA or something HOBA-like. The HOBA proposal as it stands has a lot of significant issues, but the idea of portable origin-bound certificates for HTTP clients is the correct way to do non-password authentication for HTTP. draft-williams-rest-gss relies on GSSAPI, which has thin adoption even after many years. draft-montenegro-httpbis-multilegged-auth is an interesting way to get non-password authentication (and NTLM!) into HTTP, but I suspect that not having a mandatory authentication mechanism that is widely supported will mean that this document will go unimplemented. At least one password-based authentication mechanism should also be standardized for HTTP 2. Of these, draft-oiwa-httpbis-mutualauth and draft-oiwa-httpbis-auth-extension seem to solve more of the problems with passwords than draft-melnikov-httpbis-scram-auth. I am willing to contribute to and review proposals for non-password authentication. I am willing to provide a bit of late review to a password-based proposal. --Paul Hoffman
Received on Friday, 13 July 2012 02:22:49 UTC