ietf
[Top] [All Lists]

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

2012-02-26 08:54:55
On 2012-02-26 10:44, Yoav Nir wrote:
...
Could you please explain why you think tying this effort to HTTP/2.0 is 
necessary to achieve that? To me that's the critical bit, and I still haven't 
seen the reasoning (perhaps I missed it).

I think I have *an* answer to this, though probably not *the* answer.

There's two stages to adoption - implementation and roll-out. Obviously you can't roll 
out "new authentication" before the browsers and servers implement it. For my 
website, I wouldn't roll out new auth if only one or two of the browsers out there 
implemented it. Even if all the big ones (IE, Firefox, Chrome, Opera) did, I would still 
have to provide a backwards compatibility authentication scheme to support older 
browsers. This would lead to both inconsistent UI and to ugly javascript that detects the 
browser version, and makes the roll-out slower.

You can send multiple challenges in one response.

We could also define a way to make HTML-form-based login an HTTP scheme (see <http://tools.ietf.org/id/draft-broyer-http-cookie-auth-00.txt>) to integrate better what people use today.

If any HTTP/2.0 browser is bound to have "new authentication" it makes things 
much easier.

This could be circumvented by adding request headers that advertise 
capabilities, but I don't think we like those much.

I don't believe we need those. If we do, we should retrofit this into 1.1 as well.

Anyway, I see lots of theoretical discussion about process. What's needed is people doing the actual work, both spec-wise and implementation-wise. That's the critical problem.

Best regards, Julian
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>