Re: Response to HTTP2 expresions of interest

On Fri, Jul 13, 2012 at 12:09 PM, Phillip Hallam-Baker <> wrote:
> 2) Code budget
> Before going anywhere, ask how many bytes the browsers might commit to
> these proposals. I would be very surprised if they would allow more
> than 100Kb for the whole of HTTP/2.0.
> Ergo anyone proposing integrating their favorite API with a 500Kb dll
> is pushing a total non-starter. In fact I think that any scheme that
> cannot be implemented in fifty or so pages of self-contained code is a
> non-starter.
> GSS-API was considered in 1995 and found to be too big, slow and
> difficult to understand. I don't think it should be reconsidered
> unless it has been drastically reduced in size since. I believe the
> opposite to be the case.

Once more, with feeling: :) There's no need to use the GSS-API in
order to use GSS mechanisms.

The portion of GSS security mechanisms that a REST-GSS client would
have to implement can be quite minimized compared to a full
implementation.  For a mechanism like SCRAM the total size should be
quite small (especially if you don't count HMAC nor the hash function,
because those are probably to be shared with other parts of the client
application).  For a ZKPP it's probably a little bigger.  For a ZKPP
mechanism with federation support with the server doing all the
infrastructure messaging work the code should be about the same size.

*Kerberos* code is going to be huge, largely because of ASN.1/DER and
a much heavier crypto footprint (there's a number of ciphersuites).
But that's another story.  I'm not proposing Kerberos.  I'm proposing
that HTTP/2.0 auth be pluggable.


Received on Friday, 13 July 2012 22:40:29 UTC