Hi Keith,
--On May 13, 2005 12:55:16 AM -0400 Keith Moore
<moore(_at_)cs(_dot_)utk(_dot_)edu> wrote:
Regarding your SMTP analogy, I don't think it is the case that adding
another authentication flavor to HTTP is as simple as it was to add
authentication to SMTP - first, because HTTP is much more complex than
SMTP (especially in how it negotiates protocol options); second, because
SMTP has a much cleaner extension model than HTTP (thank you mtr);
third, because the relationships between principals tend to be different
for HTTP than for SMTP; and fourth, because in the case of HTTP servers
there is a significant investment in existing authentication databases
and the types of credentials they support which did not exist for SMTP
when authentication was added to it.
Its worth noting that the current CalDAV effort
<http://www.ietf.org/internet-drafts/draft-dusseault-caldav-05.txt> (which
is attempting to use WebDAV as the basis for a calendaring and scheduling
protocol) would benefit from sharing an authentication database with other
related services - email (IMAP, POP, SMTP etc) being the best example.
Those existing protocols now typically use SASL for the authentication
exchange so it would seem natural to want SASL in HTTP too so that CalDAV
could be easily integrated into such environments. Unfortunately the HTTP
SASL draft
<http://www.ietf.org/internet-drafts/draft-nystrom-http-sasl-12.txt>
proposing such a scheme has been stalled for quite a while, so progress on
this front is limited. Also, I don't think it would help with the session
tracking issue either.
--
Cyrus Daboo
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf