Re: Authentication and TCP Connection State

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 5/10/2014 5:09 p.m., Yutaka OIWA wrote:
> Dear Michael,
> 
> such properties are only true for "some" set of HTTP
> authentications, and NTLM is one of them, unfortunately. It's
> against the HTTP/1.1 spec and will be broken in HTTP/2.

Lets put it this way.

NTLM auth assumes a single-connection environment. NTLM is expecting
to securely authenticate *THE* TCP connection, when HTTP in fact uses
2, 3, 4 ... N connections to deliver the single message. With
potentially different set of N connections on each message emitted by
the client.

Software allowing NTLM to happen in HTTP/1.1 has an annoyingly large
amount of hacks and workarounds to pervert or outright disable many of
the desirable high-performance features of HTTP/1.1 protocol.
 The same/equivalent workarounds and disabling can be done in HTTP/2,
but will make HTTP/2 run just a slow as HTTP/1.1 does with NTLM.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUMM/7AAoJELJo5wb/XPRjLdEIAOJaj/6LEt8Qe49bGhYqKPHu
MHDG0+seKbmKESFM2MH8K0GG2VSx2uXDiftzcsWtO1ljnbGcqQUAnNVc7OJ+gQA5
ZSXjkyp9ZVdKwk57w+wGmyBaj1c3P2kTFNR80DhjxgkBsW1ZX+KBr2WPnuRE5+yb
4Fbf2o4Qpzx6xjsj3H7wuCJQqZlkUiwDoJDJvqPkIK+bjIstmTBbn9XZ/soGNAnh
RSkfJc2nVZzpiw793/ZsO7aQwd/i+G8UumR0A3RB9pJc/jPUjrsi+G+HDNH/d43g
NgJlPTsnOHJBuE5F4Qvix17sLWXENT5ubE6o9dLlX4X9K/f5GJX4xZXRbSYb1W8=
=lze7
-----END PGP SIGNATURE-----

Received on Sunday, 5 October 2014 04:59:18 UTC