W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Authentication over HTTP

From: Nico Williams <nico@cryptonector.com>
Date: Tue, 16 Jul 2013 12:34:02 -0500
Message-ID: <CAK3OfOg9JZbcnZhHSNrfSViNeV+wyctwYzSKhXpjGf3f_gP+VQ@mail.gmail.com>
To: Amos Jeffries <squid3@treenet.co.nz>
Cc: ietf-http-wg@w3.org
On Tue, Jul 16, 2013 at 7:54 AM, Amos Jeffries <squid3@treenet.co.nz> wrote:
> *Every single claim* that HTTP-auth is broken and needs re-designing seems
> to me to be based on the flawed assumption that HTTP-auth is not extensible
> and that the common existing schemes are the only ones HTTP permits. Or that
> somehow a user authenticating with N different and fragile mechanisms for
> one transaction is a good thing (I rather disagree, the UX on that would be
> tricky and implementation nightmares).

That's either a strawman or you misunderstood the arguments against
doing authentication in HTTP.  It's not that "HTTP auth is broken",
but that HTTP is the *wrong layer* -- that's not because HTTP or HTTP
auth is broken, but because properties of the stack of protocols
spoken make HTTP auth a problematic proposition.

BTW, I've not see any arguments about N different mechanisms (fragile
or not) being a problem.

Received on Tuesday, 16 July 2013 17:34:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC