On 2012-02-26 10:44, Yoav Nir wrote:
...
Could you please explain why you think tying this effort to HTTP/2.0 is
necessary to achieve that? To me that's the critical bit, and I still haven't
seen the reasoning (perhaps I missed it).
I think I have *an* answer to this, though probably not *the* answer.
There's two stages to adoption - implementation and roll-out. Obviously you can't roll
out "new authentication" before the browsers and servers implement it. For my
website, I wouldn't roll out new auth if only one or two of the browsers out there
implemented it. Even if all the big ones (IE, Firefox, Chrome, Opera) did, I would still
have to provide a backwards compatibility authentication scheme to support older
browsers. This would lead to both inconsistent UI and to ugly javascript that detects the
browser version, and makes the roll-out slower.
You can send multiple challenges in one response.
We could also define a way to make HTML-form-based login an HTTP scheme
(see <http://tools.ietf.org/id/draft-broyer-http-cookie-auth-00.txt>) to
integrate better what people use today.
If any HTTP/2.0 browser is bound to have "new authentication" it makes things
much easier.
This could be circumvented by adding request headers that advertise
capabilities, but I don't think we like those much.
I don't believe we need those. If we do, we should retrofit this into
1.1 as well.
Anyway, I see lots of theoretical discussion about process. What's
needed is people doing the actual work, both spec-wise and
implementation-wise. That's the critical problem.
Best regards, Julian
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf