Re: HTTP2 Expression of Interest

On Fri, Jul 13, 2012 at 12:37 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
> I really dislike the idea of having a platform inside a platform
>
> TLS is way too big for comfort. GSSAPI has mechanism on mechanism.

I'm not sure I understand.  The GSS-API is just an API.  It defines a
tiny bit of protocol.  To give you an idea of just how little
"mechanism on mechanism" the GSS-API has just consider the fact that
SSPI is teh interface to TLS on Windows, and that the GSI TLS
mechanism for GSS is wire-compatible with TLS even though it's being
invoked from the GSS-API!

> I don't want a choice of fifty ways to authenticate. I want exactly
> one mechanism to support each type of authentication. I certainly

Good luck coming up with a single mechanism that works on an Internet
scale, on corporate networks, with BYOD, with IT-managed desktops, ..
and that meets the requirements of all those involved.  And as if that
were not hard enough, you'll have to come up with one mechanism that
manages to use the existing infrastructures that people already have
or else makes it real economic (read: *CHEAP*) to replace those.

I think we need protocols that work with the types of credentials that
people have *already* deployed, whether those be smartcards,
passwords, OTPs, two-factor, or whether the infrastructures be based
on RADIUS, Kerberos, ...

There are large investments in these things already made.

Nico
--

Received on Friday, 13 July 2012 17:24:25 UTC