On Feb 23, 2012, at 5:13 PM, Roy T. Fielding wrote:
I don't care how much risk it adds to the HTTP charter. They are
all just meaningless deadlines anyway. If we want HTTP to have
something other than Basic (1993) and Digest (1995) authentication,
then it had better be part of *this* charter so that the proposals
can address them.
If only it were that simple. If the answer is "design an HTTP auth mechanism
that is better than Digest", then this is a tractable goal. If it is "get IETF
consensus on that auth mechanism", then it isn't. The latter has proven to be
impossible because people say (possibly rightly) that web developers don't want
auth mechanisms that use the browser chrome: they want auth in HTML, and
anything that relies on the browser chrome is insufficient.
Notice how the topic changed from "HTTP" to "web" for the security discussion
but not for the httpbis charter discussion? That topic-change has derailed the
HTTP authentication discussions at recent (and not-so-recent) IETF meetings.
If the charter has "develop HTTP authentication mechanisms beyond Digest",
that's great: we already have seen about five proposals in the past few years
for those, some of them with security analyses. If the charter says "...and
specify one that is mandatory to implement", that seems prone to consensus
failure because of religion about zero-knowledge proofs versus operational
simplicity, but I would be overjoyed to be wrong about that.
--Paul Hoffman
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf