- From: Josh Howlett <Josh.Howlett@ja.net>
- Date: Fri, 17 Jun 2011 16:11:40 +0000
- To: Nico Williams <nico@cryptonector.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
- CC: "hallam@gmail.com" <hallam@gmail.com>, "http-auth@ietf.org" <http-auth@ietf.org>, "julian.reschke@gmx.de" <julian.reschke@gmx.de>, "public-identity@w3.org" <public-identity@w3.org>, "saag@ietf.org" <saag@ietf.org>, "websec@ietf.org" <websec@ietf.org>
On 17/06/2011 16:25, "Nico Williams" <nico@cryptonector.com> wrote: >On Fri, Jun 17, 2011 at 3:38 AM, Peter Gutmann ><pgut001@cs.auckland.ac.nz> wrote: >> Nico Williams <nico@cryptonector.com> writes: >>>Shall we have just one authentication mechanism? >> >> *If* the idea is to specify a new auth mechanism and *if* it's for >>browsers >> and similar devices, I'd just say "Use EAP with X", it's been studied >>and >> spec'd to death, there's lots of implementations, it's pretty simple to >>do, >> etc. > >CHeck out what ABFAB WG is doing then! ;) Just by way of information for Peter's benefit, we have an ABFAB implementation -- and we've demonstrated ABFAB-based EAP authentication with Firefox and Apache by leveraging their existing support for the HTTP Negotiate scheme. I also agree with Peter's argument, although there are other benefits to EAP that he doesn't mention. It supports a diverse range of authentication methods, which means that deployers are not required to use a particular type of credential - they can use whatever type of credential best suits their needs. In addition, with EAP Pass-Through the web server does not need to understand the credential technology being presented by the user; the web server can be entirely agnostic with respect to the credential technology being used by EAP (modulo some basic security properties that enable GSS magic to happen). >>>at the application layer and in a RESTful way: >> >> I would really, *really* prefer to not invent another auth mechanism. >>There'd >> have to be a pretty strong argument to not use what we've already got. >>I >> happen to like EAP because it's simple, already spec'd out for lots of >>things >> (including cellphones via SIMs and other non-browser devices), and you >>can >> just say "use this", as long as "this" is profiled a bit to be >>something more >> specific than "any EAP mechanism you feel like". > >Ah, but I'm not proposing that we invent any new mechanisms. Mind >you, I'd not mind more mechanism choices, but I'm not proposing new >ones. I'm proposing a way to use the set of mechanisms we have in >HTTP without modifying HTTP nor TLS. Nico's proposal definitely adds significant value to EAP (ABFAB) based authentication, relative to transport-bound Negotiate. I would like to see GSS REST happen. Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
Received on Sunday, 19 June 2011 00:40:37 UTC