Re: Call for Adoption: HTTP Unprompted Authentication

On Tue, Feb 7, 2023, at 16:58, Mark Nottingham wrote:
> This is a Call for Adoption for:
>   https://www.ietf.org/archive/id/draft-schinazi-httpbis-unprompted-auth-01.html
>
> Please indicate (in response to this message) whether you support 
> adoption, and whether you intend to implement.

This is a little late, but I was asked to offer perspective, so...

Mozilla currently has no use case that would need this mechanism, so we can't really be supportive of adoption on that basis.  However, nor do we oppose it.  The design seems fundamentally sound[*], which is important here.

Provided there is adequate support from those who intend to deploy this, then adoption makes sense.  I haven't seen much evidence of that support so far.

Cheers,
Martin

[*] With the usual caveats.  For instance, I think that the bindings are a little loose, but that's small beans and easy to fix.  Some analysis should be undertaken to be more certain about the security properties, but that seems doable.  The draft does not deal with key rotation well (no mechanism needed).  And some of the issues raised in this thread seem like they are worth considering.  All of that is business as usual for an adopted draft, of course.

Received on Friday, 24 February 2023 04:36:16 UTC