- From: Henry Story <henry.story@bblfish.net>
- Date: Tue, 16 Jul 2013 09:13:37 +0200
- To: Nico Williams <nico@cryptonector.com>
- Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, M Stefan <mstefanro@gmail.com>, ietf-http-wg@w3.org
On 16 Jul 2013, at 08:26, Nico Williams <nico@cryptonector.com> wrote: > On Sun, Jul 14, 2013 at 7:02 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: >> Authentication should happen either in the encrypting transport >> which moves HTTP/2.0 across (as in certificates and assymetric crypto) >> or in the application transported inside HTTP/2.0 (as in most web-site >> login dialogs), but HTTP/2.0 itself should not get involved: It >> is the wrong layer. > > I agree. Thus my proposal for RESTful authentication (with channel > binding to TLS where available). I don't believe user authentication > in TLS will work out too well (it hasn't so far, and there are reasons > why it should prove difficult; see my reply to Yoav's reply to > Stefan). RESTful authentication on the TLS level exists. We have been working for it over the past 5 years, testing it over most well known languages, showing how it works with distributed ACLs and distributed social networks. It's called WebID. The latest draft are here: WebID overview: https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html WebID over TLS: https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html a video is here: http://webid.info/ To try it out with WebAccess Control try https://github.com/stample/rww-play Henry > > Nico > -- > Social Web Architect http://bblfish.net/
Received on Tuesday, 16 July 2013 07:14:07 UTC