W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2020

Re: Internet Draft: HTTP += SASL

From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 21 Jan 2020 09:53:39 +0100 (CET)
To: Rick van Rein <rick@openfortress.nl>
cc: "HTTPbis WG (IETF)" <ietf-http-wg@w3.org>, "Henri Manson (ARPA2)" <henri.manson@arpa2.org>
Message-ID: <alpine.DEB.2.20.2001210944260.8039@tvnag.unkk.fr>
On Tue, 21 Jan 2020, Rick van Rein wrote:

> The following I-D is a specification that adds SASL authentication to
> HTTP.  It allows sharing security mechanisms with other protocols such
> as for email, and resolve security matters in transport-level software
> rather than in applications.  I believe this offers dramatic benefits.
>
> An informal example run is presented on
> http://internetwide.org/blog/2018/11/15/somethings-cooking-4.html

...

> https://www.ietf.org/internet-drafts/draft-vanrein-httpauth-sasl-03.txt

Hi!

Let me offer some quick initial comments after my first read:

1. RFC2616 is dead, refer to RFC 723X specs instead

2. I would really like to see protocol examples in the spec that better 
explains the flows. I couldn't understand it without reading the blog post -
that features such examples.

3. The mandatory 403 when not authenticated seems unorthodox. Regular HTTP 
auth returns 401 (or 407 for proxy) when not authenticated.

4. Section 3 wrongly states that Basic and Digest auth uses usernames in URIs. 
They didn't and don't. They speak of user names but they don't (have to) come 
from the URI.

-- 

  / daniel.haxx.se
Received on Tuesday, 21 January 2020 08:53:52 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 21 January 2020 08:53:52 UTC