- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Sun, 05 Oct 2014 17:58:35 +1300
- To: ietf-http-wg@w3.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 5/10/2014 5:09 p.m., Yutaka OIWA wrote: > Dear Michael, > > such properties are only true for "some" set of HTTP > authentications, and NTLM is one of them, unfortunately. It's > against the HTTP/1.1 spec and will be broken in HTTP/2. Lets put it this way. NTLM auth assumes a single-connection environment. NTLM is expecting to securely authenticate *THE* TCP connection, when HTTP in fact uses 2, 3, 4 ... N connections to deliver the single message. With potentially different set of N connections on each message emitted by the client. Software allowing NTLM to happen in HTTP/1.1 has an annoyingly large amount of hacks and workarounds to pervert or outright disable many of the desirable high-performance features of HTTP/1.1 protocol. The same/equivalent workarounds and disabling can be done in HTTP/2, but will make HTTP/2 run just a slow as HTTP/1.1 does with NTLM. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUMM/7AAoJELJo5wb/XPRjLdEIAOJaj/6LEt8Qe49bGhYqKPHu MHDG0+seKbmKESFM2MH8K0GG2VSx2uXDiftzcsWtO1ljnbGcqQUAnNVc7OJ+gQA5 ZSXjkyp9ZVdKwk57w+wGmyBaj1c3P2kTFNR80DhjxgkBsW1ZX+KBr2WPnuRE5+yb 4Fbf2o4Qpzx6xjsj3H7wuCJQqZlkUiwDoJDJvqPkIK+bjIstmTBbn9XZ/soGNAnh RSkfJc2nVZzpiw793/ZsO7aQwd/i+G8UumR0A3RB9pJc/jPUjrsi+G+HDNH/d43g NgJlPTsnOHJBuE5F4Qvix17sLWXENT5ubE6o9dLlX4X9K/f5GJX4xZXRbSYb1W8= =lze7 -----END PGP SIGNATURE-----
Received on Sunday, 5 October 2014 04:59:18 UTC