- From: Daniel Stenberg <daniel@haxx.se>
- Date: Tue, 21 Jan 2020 09:53:39 +0100 (CET)
- To: Rick van Rein <rick@openfortress.nl>
- cc: "HTTPbis WG (IETF)" <ietf-http-wg@w3.org>, "Henri Manson (ARPA2)" <henri.manson@arpa2.org>
On Tue, 21 Jan 2020, Rick van Rein wrote: > The following I-D is a specification that adds SASL authentication to > HTTP. It allows sharing security mechanisms with other protocols such > as for email, and resolve security matters in transport-level software > rather than in applications. I believe this offers dramatic benefits. > > An informal example run is presented on > http://internetwide.org/blog/2018/11/15/somethings-cooking-4.html ... > https://www.ietf.org/internet-drafts/draft-vanrein-httpauth-sasl-03.txt Hi! Let me offer some quick initial comments after my first read: 1. RFC2616 is dead, refer to RFC 723X specs instead 2. I would really like to see protocol examples in the spec that better explains the flows. I couldn't understand it without reading the blog post - that features such examples. 3. The mandatory 403 when not authenticated seems unorthodox. Regular HTTP auth returns 401 (or 407 for proxy) when not authenticated. 4. Section 3 wrongly states that Basic and Digest auth uses usernames in URIs. They didn't and don't. They speak of user names but they don't (have to) come from the URI. -- / daniel.haxx.se
Received on Tuesday, 21 January 2020 08:53:52 UTC