On Feb 24, 2012, at 5:02 PM, Paul Hoffman wrote:
On Feb 24, 2012, at 4:54 AM, Stephen Farrell wrote:
"Proposals for new HTTP authentication schemes are in scope."
How would a plan like the following look to folks:
- httpbis is chartered to include auth mechanism work as
per the above (or whatever text goes into the charter)
<snip/>
Might that be a way forward that'll give enough folks
enough of what they want/need?
It would, but I would like to give a counter-proposal that I think will use
people's different talents better:
- new wg on developing http authentication mechanisms is chartered soon (BoF
in Paris); call it the ham wg
- httpbis is chartered to follow the work of the ham wg and is required to
make sure that the authentication framework in http 2.0 works for as many of
the proposals from the ham wg as possible
- ham wg is responsible for most of what you list above
- http2.0 document says "the mandatory to implement auth mechanisms are named
in that RFC over there", which comes from the ham wg
There will be overlap in wg membership, but not nearly as much as would be
needed for your proposal.
I like the idea, but there is always the danger of the HAM working group either
getting stuck with multiple non-interoperable proposals like we've seen at
IPsecME with the PAKE work.
There is also the possibility of getting stuck with conflicting requirements.
For example, there will be a need to use existing user databases
(RADIUS/DIAMETER servers, LDAP directories), but that is hard to reconcile with
the preference for ZKPs.
I'm not really worried, because HTTP/2.0 is bound to take a long time, and
there will be plenty of opportunity for chair and ADs to step in and intervene
if the wg actually does that.
On a more technical note, we are 12 days past the cutoff date for new BoF
session requests, so it's probably too late for a BoF in Paris.
Yoav
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf