- From: Phillip Hallam-Baker <hallam@gmail.com>
- Date: Sun, 22 Jul 2012 23:35:22 -0400
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>
On Sun, Jul 22, 2012 at 8:15 PM, Mark Nottingham <mnot@mnot.net> wrote: I see session ids as a form of authentication actually, or rather I think the same technology can fill both needs. Authentication is actually 3 separate issues: 1) Account establishment (create 'alice')/Federated binding (validate alice@example.com) 2) Initial Authentication: Is 'alice' initiating this session? 3) Re-Authentication: Is this message part of an active session? I think that (1) is a can of worms so lets leave it to one side for the moment. A client established unlinkable identifier is a very strong way to address (2). A server pushed token (aka ticket) and shared secret is a very strong way to address (3). I don't think we need to discuss how to do the session id as a separate issue, it will drop out of almost any authentication scheme. We just need to bear in mind this particular use case when we are designing the authentication scheme for two reasons. First it seems like a reasonable use case, second it is a use case that people are likely to attempt to force the systems to support even if we don't explicitly intend it to be supported. > HI Willy, > > On 21/07/2012, at 3:23 PM, Willy Tarreau wrote: > >> On Sat, Jul 21, 2012 at 10:17:53AM +1000, Mark Nottingham wrote: >>> There's been a lot of discussion about client-initiated session identifiers >>> on list lately. >>> >>> This is interesting, and perhaps important work, but it's squarely outside of >>> our *current* scope of work. >>> >>> I'd encourage the folks who are interested in it to work on a proposal (or >>> three) in the form of Internet-Drafts; we can then spend some time discussing >>> them, before figuring out what to do about it. As it is, the on-list >>> discussion is getting somewhat circular. >> >> Mark, >> >> a draft is something appropriate when ideas are already in shape. Designing >> while writing a draft and without other participants' ideas and feedback is >> a very hard task (and not always efficient). Some discussions with the people >> on the list help figure out what ideas are wrong because the people with >> knowledge and experience are here. > > That's great, and normally I'd be much more willing to let this conversation run its course. > > However, we had more than sixty messages in a handful of days. Right now, the Working Group is supposed to be concentrating on selecting a starting point for further work, as well as discussing the authentication proposals, and I don't want people to be distracted / arguing about this going into next week's meeting. > > I'm not saying this isn't a valuable -- and potentially promising -- conversation. I just want to see it pause. > > >> Granted this can look like pollution compared to the scope of reviewing >> draft-20 and expressing support for 2.0 drafts, but if the participants >> silently work in their garage on a draft, they won't work on the current >> scope either and they'll come up with solutions which only reflect their >> own use. >> >> Maybe instead we should be strict on selecting the subjects of e-mails so >> that it's easier to skip the undesired threads and limit pollution ? > > > It's quite likely we'll be doing that in the future, yes. Right now, however, it's mostly a timing issue. > > Thanks, > > > > -- > Mark Nottingham > http://www.mnot.net/ > > > > > -- Website: http://hallambaker.com/
Received on Monday, 23 July 2012 03:35:49 UTC