Re: Call for Adoption: HTTP Unprompted Authentication from Eric J Bowman on 2023-02-24 (ietf-http-wg@w3.org from January to March 2023)

From: Eric J Bowman <mellowmutt@zoho.com>
Date: Fri, 24 Feb 2023 15:31:11 -0800
To: "Christopher Wood" <caw@heapingbits.net>
Cc: "mark nottingham" <mnot@mnot.net>, "http working group" <ietf-http-wg@w3.org>, "tommy pauly" <tpauly@apple.com>
Message-Id: <18685c42b44.e1acca954877.5894602446250292773@zoho.com>

No offense to Chris, but ugh. Cookies have value, but they're still fundamentally at odds with the architectural style derived from reality. The entire notion of unprompted authentication is a red flag to me, architecturally speaking, especially to support a niche use-case.

I don't see this as a "super cookie," but I can't put my finger on why it worries me along those lines, as an end-run around how HTTP Auth "should" work, at least in what's left of my brain. Mainstream or niche, to me, any use-case should conform to... well... my notion of "proper" architecture. See "Minority Report" lol, this is pre-crime...

-Eric

---- On Tue, 07 Feb 2023 12:41:02 -0800 Christopher Wood <caw@heapingbits.net> wrote ---

I'm supportive of adopting this draft on the basis of the desired use cases. They may be rather niche -- and should likely be added to the draft [0] -- but I understand them to have value. 

I do have some questions about the technical contents, which I've filed issues to track [1,2,3,4,5]. I'm happy to help seek resolution of those on GitHub. 

Are there any implementations of this mechanism yet? I would be happy to help provide an implementation of the server piece for interop tests. 

Best, 
Chris 

[0] https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/22 
[1] https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/17 
[2] https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/18 
[3] https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/19 
[4] https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/20 
[5] https://github.com/DavidSchinazi/draft-schinazi-httpbis-transport-auth/issues/21 

> On Feb 7, 2023, at 12:58 AM, Mark Nottingham <mailto:mnot@mnot.net> wrote: 
> 
> Hello everyone, 
> 
> We first discussed this draft at IETF114[1],  saw implementation interest at IETF115, [2] and finally had some more list discussion. 
> 
> This is a Call for Adoption for: 
> https://www.ietf.org/archive/id/draft-schinazi-httpbis-unprompted-auth-01.html 
> 
> Please indicate (in response to this message) whether you support adoption, and whether you intend to implement. 
> 
> The CfA will last for two weeks. 
> 
> Cheers, 
> 
> 
> 1. https://httpwg.org/wg-materials/ietf114/minutes.html#transport-auth-david-schinazi 
> 1. https://httpwg.org/wg-materials/ietf115/minutes.html#unprompted-auth 
> 
> -- 
> Mark Nottingham https://www.mnot.net/ 
> 
>

Received on Friday, 24 February 2023 23:31:37 UTC