Re: [saag] [websec] [http-auth] re-call for IETF http-auth BoF

On Fri, Jun 17, 2011 at 3:38 AM, Peter Gutmann
<pgut001@cs.auckland.ac.nz> wrote:
> Nico Williams <nico@cryptonector.com> writes:
>>Shall we have just one authentication mechanism?
>
> *If* the idea is to specify a new auth mechanism and *if* it's for browsers
> and similar devices, I'd just say "Use EAP with X", it's been studied and
> spec'd to death, there's lots of implementations, it's pretty simple to do,
> etc.

CHeck out what ABFAB WG is doing then!  ;)

(Hint: they're making a GSS-API security mechanism based on EAP.  Now,
if only there were a way to use that well in HTTP.)

>>at the application layer and in a RESTful way:
>
> I would really, *really* prefer to not invent another auth mechanism.  There'd
> have to be a pretty strong argument to not use what we've already got.  I
> happen to like EAP because it's simple, already spec'd out for lots of things
> (including cellphones via SIMs and other non-browser devices), and you can
> just say "use this", as long as "this" is profiled a bit to be something more
> specific than "any EAP mechanism you feel like".

Ah, but I'm not proposing that we invent any new mechanisms.  Mind
you, I'd not mind more mechanism choices, but I'm not proposing new
ones.  I'm proposing a way to use the set of mechanisms we have in
HTTP without modifying HTTP nor TLS.

Nico
--

Received on Friday, 17 June 2011 15:25:57 UTC