ietf
[Top] [All Lists]

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

2012-02-21 16:56:58
Stephen, 

The approach we're advocating for this WG is to solicit well-formed proposals, 
select one and develop it. 

If there isn't one for HTTP authentication, how are you advocating we proceed?

Regards,



On 22/02/2012, at 9:53 AM, Stephen Farrell wrote:



On 02/21/2012 10:40 PM, Mark Nottingham wrote:

On 22/02/2012, at 9:19 AM, Stephen Farrell wrote:


So as in my initial mail the 1st question here is, what
does "modern" mean in this draft charter? E.g. does it
mean "same as the current framework with different
bits" or something else? If so, what?

As discussed off-list, I'd be happy to drop this phrase from *this* charter, 
in anticipation of it being worked out in discussions about the *next* one.

Well, I think the phrase does need to be replaced
by something else all right.

I'm reluctant to omit mention of security entirely
of course and do want to know what's gonna be done
for authentication in a putative HTTP/2.0.

Like I said, I'm pretty skeptical that any significant
change to security properties will be achievable at
that next charter stage.

And then should it include adding some new options
or MTI auth schemes as part of HTTP/2.0 or even looking
at that? (I think it ought to include trying for that
personally, even if there is a higher-than-usual risk
of failure.)


Based on past experience, I think the risk is very high, and we don't need 
to pile any more risk onto this particular project.

Based on past experience the milestones for this will be
wildly optimistic and it'll really take five years so at
the end of 2017 we'll be right where we are in terms of
HTTP authentication for all of which time HTTP authentication
will be the "next thing" to do. (Ok, I'm exaggerating a
bit there.)

I think both experiences are valid.

Also, most of the discussions about authentication and associated problems 
on the Web are *not* exclusive to HTTP or even protocol artefacts; they 
include concerns like UI and human factors, integration into hypertext, etc. 
As such, what we really need is a "whole of stack" focus on Web 
authentication; shoving it into this particular WG will, IMO, lead to a 
predictable failure.

It is true that many sites don't use HTTP authentication
for UI reasons. I don't think it follows that doing nothing
is the right approach. (Well, one could argue to remove all
user authentication from HTTP I guess - is that one of the
proposals?)

Cheers,
S.



--
Mark Nottingham
http://www.mnot.net/




_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>