- From: Nico Williams <nico@cryptonector.com>
- Date: Fri, 13 Jul 2012 17:40:02 -0500
- To: Phillip Hallam-Baker <hallam@gmail.com>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Fri, Jul 13, 2012 at 12:09 PM, Phillip Hallam-Baker <hallam@gmail.com> wrote: > 2) Code budget > > Before going anywhere, ask how many bytes the browsers might commit to > these proposals. I would be very surprised if they would allow more > than 100Kb for the whole of HTTP/2.0. > > Ergo anyone proposing integrating their favorite API with a 500Kb dll > is pushing a total non-starter. In fact I think that any scheme that > cannot be implemented in fifty or so pages of self-contained code is a > non-starter. [...] > GSS-API was considered in 1995 and found to be too big, slow and > difficult to understand. I don't think it should be reconsidered > unless it has been drastically reduced in size since. I believe the > opposite to be the case. Once more, with feeling: :) There's no need to use the GSS-API in order to use GSS mechanisms. The portion of GSS security mechanisms that a REST-GSS client would have to implement can be quite minimized compared to a full implementation. For a mechanism like SCRAM the total size should be quite small (especially if you don't count HMAC nor the hash function, because those are probably to be shared with other parts of the client application). For a ZKPP it's probably a little bigger. For a ZKPP mechanism with federation support with the server doing all the infrastructure messaging work the code should be about the same size. *Kerberos* code is going to be huge, largely because of ASN.1/DER and a much heavier crypto footprint (there's a number of ciphersuites). But that's another story. I'm not proposing Kerberos. I'm proposing that HTTP/2.0 auth be pluggable. Nico --
Received on Friday, 13 July 2012 22:40:29 UTC