- From: HAYASHI, Tatsuya <lef.mutualauth@gmail.com>
- Date: Sat, 14 Jul 2012 05:36:21 +0900
- To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Brian Pane <brianp@brianp.net>
Dear Poul-Henning, (disclaimer, I am one of the authors of http-mutual authentication I-D.) IHMO(not authors. only me.), HTTP Authentication (ex. Digest) has the state that I can call a session. I think that this becomes the materials of this discussion. "HTTP router" is very well put. I want to know how the HTTP Authentication is handled on it. Do you have any opinion about this? -- HAYASHI, Tatsuya Lepidum Co. Ltd. On Sat, Jul 14, 2012 at 4:50 AM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > In message <CAAbTgTv4QxwyBy5Fp5xg7A_WAQ2BAxrK=Ui932amJrXZ2iA50A@mail.gmail.com> > , Brian Pane writes: > >>>From the perspective of a load balancer, having just those three fields in >>cleartext isn't sufficient. Sending a request to the proper upstream >>destination may require information from Cookie, X-Forwarded-For, and more. > > (X-)F-F makes sense. > > Cookies: not so, whenever people use cookies, they are working around > lack of session concept in HTTP. HTTP/2.0 should fix that, so cookies > go away. > >>I'm not too concerned about load balancers having to decrypt messages, >>though: SSL termination has been a key selling point for load balancers for >>many years. > > That's not the same as it being a good idea. > > Hosting providers are often unable to deploy load-balancers and > DoS mitigation, exactly because it would require them to have all > their hosted clients certificates. > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence. >
Received on Friday, 13 July 2012 20:36:48 UTC