Re: Authentication over HTTP from Nico Williams on 2013-07-16 (ietf-http-wg@w3.org from July to September 2013)

From: Nico Williams <nico@cryptonector.com>
Date: Tue, 16 Jul 2013 01:26:54 -0500
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: M Stefan <mstefanro@gmail.com>, ietf-http-wg@w3.org
Message-ID: <CAK3OfOjeOLDHbSpcwXd9SAzDqfigxaCsTZp7LXAD6R-2oCCgtw@mail.gmail.com>

On Sun, Jul 14, 2013 at 7:02 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
> Authentication should happen either in the encrypting transport
> which moves HTTP/2.0 across (as in certificates and assymetric crypto)
> or in the application transported inside HTTP/2.0 (as in most web-site
> login dialogs), but HTTP/2.0 itself should not get involved:  It
> is the wrong layer.

I agree.  Thus my proposal for RESTful authentication (with channel
binding to TLS where available).  I don't believe user authentication
in TLS will work out too well (it hasn't so far, and there are reasons
why it should prove difficult; see my reply to Yoav's reply to
Stefan).

Nico
--

Received on Tuesday, 16 July 2013 06:27:44 UTC