Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

WFM. Thanks, Peter. On 02/03/2012, at 4:50 AM, Peter Saint-Andre wrote: > > > On 2/21/12 11:10 AM, IESG Secretary wrote: >> A modified charter has been submitted for the Hypertext Transfer >> Protocol Bis (httpbis) working group in the Applications Area of the >> IETF. The IESG has not made

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Mar 1, 2012, at 10:05 AM, SM wrote: > At 09:50 01-03-2012, Peter Saint-Andre wrote: >> Stephen and I just had a chat about this matter. He and I came up with a >> proposed paragraph to add after that list of bullet points: >> >> In the initial phase of work on HTTP/2.0, new proposals >> fo

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Mar 1, 2012, at 10:01 AM, Nick Hilliard wrote: > Can I suggest you also include authorization capabilities as a core > component of this. It's not much use to have people able to authenticate > themselves to a system if that system doesn't also provide a framework for > allowing the server-side

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

[ no hat ] On 3/1/12 11:01 AM, Nick Hilliard wrote: > On 01/03/2012 17:50, Peter Saint-Andre wrote: >> Stephen and I just had a chat about this matter. He and I came up with a >> proposed paragraph to add after that list of bullet points: >> >>In the initial phase of work on HTTP/2.0, new prop

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 3/1/12 11:05 AM, SM wrote: > At 09:50 01-03-2012, Peter Saint-Andre wrote: >> Stephen and I just had a chat about this matter. He and I came up with a >> proposed paragraph to add after that list of bullet points: >> >>In the initial phase of work on HTTP/2.0, new proposals >>for authent

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

At 09:50 01-03-2012, Peter Saint-Andre wrote: Stephen and I just had a chat about this matter. He and I came up with a proposed paragraph to add after that list of bullet points: In the initial phase of work on HTTP/2.0, new proposals for authentication schemes can be made. The WG will

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 01/03/2012 17:50, Peter Saint-Andre wrote: > Stephen and I just had a chat about this matter. He and I came up with a > proposed paragraph to add after that list of bullet points: > >In the initial phase of work on HTTP/2.0, new proposals >for authentication schemes can be made. The WG

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

+1 On Thu, Mar 1, 2012 at 9:50 AM, Peter Saint-Andre wrote: > > > On 2/21/12 11:10 AM, IESG Secretary wrote: >> A modified charter has been submitted for the Hypertext Transfer >> Protocol Bis (httpbis) working group in the Applications Area of the >> IETF.  The IESG has not made any determinati

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 2/21/12 11:10 AM, IESG Secretary wrote: > A modified charter has been submitted for the Hypertext Transfer > Protocol Bis (httpbis) working group in the Applications Area of the > IETF. The IESG has not made any determination as yet. The modified > charter is provided below for informatio

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

lör 2012-02-25 klockan 19:23 +0100 skrev Julian Reschke: > Well, I'm one of the editors of the authentication framework spec, so if > there's something wrong with it, I'd like to know. Only the thing said earluer - Define how servers may influence the visible appearance of the login action - Pe

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

lör 2012-02-25 klockan 17:44 + skrev Stephen Farrell: > I don't think fixing or changing the framework will give us better > auth schemes by itself. (Better auth schemes may or may not require > changes to the framework, I dunno.) Obviously not. Fixing the framework giving better use of auth

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

lör 2012-02-25 klockan 14:13 + skrev Stephen Farrell: > I don't agree with you there - the perceived low probability that > something will be deployed is a real disincentive here. We have had > people wanting to do work on this and have been told there's no point > because it won't get adopted

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

tis 2012-02-21 klockan 19:50 +0100 skrev Julian Reschke: > Well, we have an existing authentication framework. It would be > interesting to find out what's missing from it. My take is better secure authentication schemes (not plaintext password based) which is cleanly specified to a level that im

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

There is one other thing I would add to auth: Ability for a challenger to identify itself, and for a response to target a challenger. Currently with chained proxies, it's not possible to reliably pass challenges and creds back to the client. A proxy looking at a request would need to maint

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

In message <20120226064025.gh8...@1wt.eu>, Willy Tarreau writes: > On Fri, Feb 24, 2012 at 05:57:31PM +0100, Patrik F=E4ltstr=F6m wrote: > > I am asking more generally why specifically this DNS issue is so stuck, > > because I think that is unfair. We upgrade other protocols... > > Because in HT

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

--On Friday, February 24, 2012 17:57 +0100 Patrik Fältström wrote: > > > On 24 feb 2012, at 17:43, John C Klensin > wrote: > >> It is >> the number of folks who, for lots of reasons, haven't upgraded >> from operating systems, resolvers, etc., that don't support >> newer RRTYPES. > > As I

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Fri, Feb 24, 2012 at 05:57:31PM +0100, Patrik Fältström wrote: > I am asking more generally why specifically this DNS issue is so stuck, > because I think that is unfair. We upgrade other protocols... Because in HTTP, anybody can be anywhere. You can have client-side proxies, server-side gatewa

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

Hi Adrien, On Sun, Feb 26, 2012 at 02:54:01PM +1300, Adrien de Croy wrote: > > I wonder if it would be helpful for people to outline what they expect > are the issues to be solved by doing more work on an HTTP auth mechanism. > > I get the feeling that some think the scope would encompass provi

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

I wonder if it would be helpful for people to outline what they expect are the issues to be solved by doing more work on an HTTP auth mechanism. I get the feeling that some think the scope would encompass providing auth support for web applications, whereas others are mainly concerned with t

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 24 feb 2012, at 17:43, John C Klensin wrote: > It is > the number of folks who, for lots of reasons, haven't upgraded > from operating systems, resolvers, etc., that don't support > newer RRTYPES. As I said, people disagree... ;-) As far as I know, there is nothing in any of the operating

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 02/26/2012 01:54 AM, Mark Nottingham wrote: On 26/02/2012, at 12:32 PM, Stephen Farrell wrote: Could you please explain why you think tying this effort to HTTP/2.0 is necessary to achieve that? To me that's the critical bit, and I still haven't seen the reasoning (perhaps I missed it).

RE: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

Zc -Original Message- From: Yoav Nir Sent: 26.02.2012, 11:45 To: Mark Nottingham Cc: The IESG; ietf-http...@w3.org Group; IETF-Discussion Discussion Subject: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) On Feb 26, 2012, at 2:44 AM, Mark Nottingham wrote

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 2012-02-26 10:44, Yoav Nir wrote: ... Could you please explain why you think tying this effort to HTTP/2.0 is necessary to achieve that? To me that's the critical bit, and I still haven't seen the reasoning (perhaps I missed it). I think I have *an* answer to this, though probably not *th

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Feb 26, 2012, at 2:44 AM, Mark Nottingham wrote: > >> >> I proposed a plan that I think might allow us to make progress >> on that. I believe we could. > > OK, great. > > Could you please explain why you think tying this effort to HTTP/2.0 is > necessary to achieve that? To me that's the

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 26/02/2012, at 12:32 PM, Stephen Farrell wrote: >> Could you please explain why you think tying this effort to HTTP/2.0 is >> necessary to achieve that? To me that's the critical bit, and I still >> haven't seen the reasoning (perhaps I missed it). > > That's a fair question that doesn't ha

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 02/26/2012 12:44 AM, Mark Nottingham wrote: On 26/02/2012, at 11:40 AM, Stephen Farrell wrote: Mark, I was going to respond blow-by-blow but there's not much point in that, other than to say that your mail seems to me a tad over the top. Sorry if you think so. I'm VERY sensitive to th

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 26/02/2012, at 11:40 AM, Stephen Farrell wrote: > > Mark, > > I was going to respond blow-by-blow but there's not much > point in that, other than to say that your mail seems to > me a tad over the top. Sorry if you think so. I'm VERY sensitive to the risks that we're undertaking here, and

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

Mark, I was going to respond blow-by-blow but there's not much point in that, other than to say that your mail seems to me a tad over the top. (Maybe you misinterpreted me describing what might happen as some kind of threat to try slow people down or something, I don't know. I do know that I do

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 26/02/2012, at 1:13 AM, Stephen Farrell wrote: >> >> If we just need a new authentication scheme, nothing stops people from >> working on that right now. > > I don't agree with you there - the perceived low probability that > something will be deployed is a real disincentive here. We have had

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 02/25/2012 06:23 PM, Julian Reschke wrote: On 2012-02-25 18:44, Stephen Farrell wrote: ... I don't think fixing or changing the framework will give us better auth schemes by itself. (Better auth schemes may or may not require changes to the framework, I dunno.) So I think you're raising a

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 2012-02-25 18:44, Stephen Farrell wrote: ... I don't think fixing or changing the framework will give us better auth schemes by itself. (Better auth schemes may or may not require changes to the framework, I dunno.) So I think you're raising a side issue here really. ... Well, I'm one of th

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 02/25/2012 02:20 PM, Julian Reschke wrote: On 2012-02-25 15:13, Stephen Farrell wrote: On 02/25/2012 02:03 PM, Julian Reschke wrote: If we just need a new authentication scheme, nothing stops people from working on that right now. I don't agree with you there - the perceived low probabi

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 2012-02-25 15:13, Stephen Farrell wrote: On 02/25/2012 02:03 PM, Julian Reschke wrote: On 2012-02-25 14:46, Stephen Farrell wrote: ... Yeah that's a tricky one. While one might like to see "one or more" in both places that might not be practical. In the proposal above the goal is that htt

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 02/25/2012 02:03 PM, Julian Reschke wrote: On 2012-02-25 14:46, Stephen Farrell wrote: ... Yeah that's a tricky one. While one might like to see "one or more" in both places that might not be practical. In the proposal above the goal is that httpbis pick one or more but recognising the rea

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 2012-02-25 14:46, Stephen Farrell wrote: ... Yeah that's a tricky one. While one might like to see "one or more" in both places that might not be practical. In the proposal above the goal is that httpbis pick one or more but recognising the reality that we might not get a new proposal that ht

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

Hiya, On 02/25/2012 02:05 AM, Mark Nottingham wrote: Hi Stephen, On 24/02/2012, at 11:54 PM, Stephen Farrell wrote: On 02/24/2012 01:24 AM, Roy T. Fielding wrote: On Feb 23, 2012, at 5:18 PM, Tim Bray wrote: On Thu, Feb 23, 2012 at 5:13 PM, Roy T. Fielding wrote: How many times do we

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 02/24/2012 07:38, Andrew Sullivan wrote: > On Fri, Feb 24, 2012 at 01:54:32PM +1100, Mark Andrews wrote: >> >> In message <4f46bfdf.3070...@dougbarton.us>, Doug Barton writes: >>> >>> 2782 was published 12 years ago this month. I suppose it can be >>> considered mature enough to deploy at this p

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

Hi Stephen, On 24/02/2012, at 11:54 PM, Stephen Farrell wrote: > > On 02/24/2012 01:24 AM, Roy T. Fielding wrote: >> On Feb 23, 2012, at 5:18 PM, Tim Bray wrote: >>> On Thu, Feb 23, 2012 at 5:13 PM, Roy T. Fielding wrote: >>> How many times do we have to do this before we declare insanity

Re: DNS RRTYPEs, the difficulty with (was: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis))

In message <20120224171427.gj48...@mail.yitter.info>, Andrew Sullivan writes: > cc:s trimmed. I'm not on the w3c list anyway, and I don't think the > IESG cares about this detail. > > On Fri, Feb 24, 2012 at 04:58:36PM +0100, Patrik Fältström wrote: > > > > Because people disagree on whether

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Feb 24, 2012, at 5:02 PM, Paul Hoffman wrote: > On Feb 24, 2012, at 4:54 AM, Stephen Farrell wrote: > >>> "Proposals for new HTTP authentication schemes are in scope." >> >> How would a plan like the following look to folks: >> >> - httpbis is chartered to include auth mechanism work as >>

Re: DNS RRTYPEs, the difficulty with (was: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis))

At 13:06 -0500 2/24/12, Scott Kitterman wrote: If there had been a TXT1 ... N in 2004, SPF (to put an example) could have picked TXT1 (assuming it wasn't used by something else). Then later the label could have been changed to SPF once usage was established and standardized. Then a few years l

Re: DNS RRTYPEs, the difficulty with (was: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis))

On Friday, February 24, 2012 12:57:49 PM Andrew Sullivan wrote: > On Fri, Feb 24, 2012 at 12:47:10PM -0500, Scott Kitterman wrote: > > It's occured to me that it might be useful to pre-allocate some new > > types without a current use assigned (e.g. TXT1, TXT2, TXT3) so that > > there's time for th

Re: DNS RRTYPEs, the difficulty with (was: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis))

On Fri, Feb 24, 2012 at 12:47:10PM -0500, Scott Kitterman wrote: > It's occured to me that it might be useful to pre-allocate some new > types without a current use assigned (e.g. TXT1, TXT2, TXT3) so that > there's time for them to be integrated into tools before they are > needed. How could you

Re: DNS RRTYPEs, the difficulty with (was: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis))

On Friday, February 24, 2012 12:14:28 PM Andrew Sullivan wrote: > cc:s trimmed. I'm not on the w3c list anyway, and I don't think the > IESG cares about this detail. > > On Fri, Feb 24, 2012 at 04:58:36PM +0100, Patrik Fältström wrote: > > Because people disagree on whether it is actually hard to

DNS RRTYPEs, the difficulty with (was: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis))

cc:s trimmed. I'm not on the w3c list anyway, and I don't think the IESG cares about this detail. On Fri, Feb 24, 2012 at 04:58:36PM +0100, Patrik Fältström wrote: > > Because people disagree on whether it is actually hard to get new RRTYPEs > deployed. > > I for example do completely disagree

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

--On Friday, February 24, 2012 16:58 +0100 Patrik Fältström wrote: > On 24 feb 2012, at 16:38, Andrew Sullivan wrote: > >> Over in spfbis, people are arguing that the SPF RRTYPE should >> be deprecated and abandoned in SPF because nobody uses it >> because of practical difficulties in getting

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Thu, Feb 23, 2012 at 05:23:45PM -0800, Paul Hoffman wrote: > If only it were that simple. If the answer is "design an HTTP auth mechanism > that is better than Digest", then this is a tractable goal. If it is "get > IETF consensus on that auth mechanism", then it isn't. The latter has proven > t

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 24 feb 2012, at 16:38, Andrew Sullivan wrote: > Over in spfbis, people are arguing that the SPF RRTYPE should be > deprecated and abandoned in SPF because nobody uses it because of > practical difficulties in getting new RRTYPEs deployed. What makes us > think that the arguments in favour of

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Fri, Feb 24, 2012 at 01:54:32PM +1100, Mark Andrews wrote: > > In message <4f46bfdf.3070...@dougbarton.us>, Doug Barton writes: > > > > 2782 was published 12 years ago this month. I suppose it can be > > considered mature enough to deploy at this point? :) > > +1000 Over in spfbis, people ar

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Feb 24, 2012, at 4:54 AM, Stephen Farrell wrote: >> "Proposals for new HTTP authentication schemes are in scope." > > How would a plan like the following look to folks: > > - httpbis is chartered to include auth mechanism work as > per the above (or whatever text goes into the charter) > -

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 02/24/2012 01:24 AM, Roy T. Fielding wrote: On Feb 23, 2012, at 5:18 PM, Tim Bray wrote: On Thu, Feb 23, 2012 at 5:13 PM, Roy T. Fielding wrote: How many times do we have to do this before we declare insanity? I don't care how much risk it adds to the HTTP charter. They are all just mean

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 24 feb 2012, at 03:54, Mark Andrews wrote: > In message <4f46bfdf.3070...@dougbarton.us>, Doug Barton writes: >> For my money it would be quite important for an HTTP 2.0 definition to >> make SRV DNS records a full-fledged participant in the standard. Minimum >> once a month there is someone a

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

In message <4f46bfdf.3070...@dougbarton.us>, Doug Barton writes: > For my money it would be quite important for an HTTP 2.0 definition to > make SRV DNS records a full-fledged participant in the standard. Minimum > once a month there is someone asking for help on bind-users@ for which > the answer

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 24/02/2012, at 12:24 PM, Roy T. Fielding wrote: > On Feb 23, 2012, at 5:18 PM, Tim Bray wrote: >> On Thu, Feb 23, 2012 at 5:13 PM, Roy T. Fielding wrote: >> >>> How many times do we have to do this before we declare insanity? >>> I don't care how much risk it adds to the HTTP charter. They a

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Feb 23, 2012, at 5:23 PM, Paul Hoffman wrote: > On Feb 23, 2012, at 5:13 PM, Roy T. Fielding wrote: > >> I don't care how much risk it adds to the HTTP charter. They are >> all just meaningless deadlines anyway. If we want HTTP to have >> something other than Basic (1993) and Digest (1995) au

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Thu, Feb 23, 2012 at 5:24 PM, Roy T. Fielding wrote: >> Seriously, someone needs to propose some charter language or this >> discussion is a no-op.  -Tim > > "Proposals for new HTTP authentication schemes are in scope." +1 I don’t think we’ll get one, but in the unlikely event someone can bu

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Feb 23, 2012, at 5:18 PM, Tim Bray wrote: > On Thu, Feb 23, 2012 at 5:13 PM, Roy T. Fielding wrote: > >> How many times do we have to do this before we declare insanity? >> I don't care how much risk it adds to the HTTP charter. They are >> all just meaningless deadlines anyway. If we want H

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Feb 23, 2012, at 5:13 PM, Roy T. Fielding wrote: > I don't care how much risk it adds to the HTTP charter. They are > all just meaningless deadlines anyway. If we want HTTP to have > something other than Basic (1993) and Digest (1995) authentication, > then it had better be part of *this* cha

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Thu, Feb 23, 2012 at 5:13 PM, Roy T. Fielding wrote: > How many times do we have to do this before we declare insanity? > I don't care how much risk it adds to the HTTP charter.  They are > all just meaningless deadlines anyway.  If we want HTTP to have > something other than Basic (1993) and

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Feb 22, 2012, at 9:39 AM, Peter Saint-Andre wrote: > On 2/22/12 10:31 AM, Paul Hoffman wrote: >> The earnest calls for better authentication on this thread appear to >> ignore the fact that the very things that are being requested were >> put out of scope for the websec WG in their charter. I h

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 2012-02-23 23:33, Doug Barton wrote: I don't *quite* go back 2 decades, but a big +1 to "all my experiences with bolt-on security have been bad." bolt-on != modular/optional If you want to "require" security in whatever comes out of this activity, you better define what security means, and

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

For my money it would be quite important for an HTTP 2.0 definition to make SRV DNS records a full-fledged participant in the standard. Minimum once a month there is someone asking for help on bind-users@ for which the answer is, "The solution to that _would_ be SRV records, if they were supported.

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

gmail.com] > Sent: Thursday, February 23, 2012 8:59 AM > To: ietf@ietf.org > Subject: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) > > On 23  Feb 2012, at 11:13 , Julian Reschke wrote: >> On 2012-02-22 18:01, RJ Atkinson wrote: >>> Security that

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

f.org] On Behalf Of RJ Atkinson > [rja.li...@gmail.com] > Sent: Thursday, February 23, 2012 8:59 AM > To: ietf@ietf.org > Subject: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) > > On 23 Feb 2012, at 11:13 , Julian Reschke wrote: >> On 2012-02-22 18:01,

RE: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

with the future... From: ietf-boun...@ietf.org [ietf-boun...@ietf.org] On Behalf Of RJ Atkinson [rja.li...@gmail.com] Sent: Thursday, February 23, 2012 8:59 AM To: ietf@ietf.org Subject: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) On 23 Feb 2012, at 11:13 , Julian Resc

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 23 Feb 2012, at 11:13 , Julian Reschke wrote: > On 2012-02-22 18:01, RJ Atkinson wrote: >> Security that works well and is practical to implement >> needs to be designed-in, not bolted-on later. > > I would say: security needs to be orthogonal. There are at least 2 decades of experience that

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

Point taken. -- David Harrington Director, Transport Area Internet Engineering Task Force (IETF) ietf...@comcast.net +1-603-828-1401 On 2/22/12 12:31 PM, "Paul Hoffman" wrote: >The earnest calls for better authentication on this thread appear to >ignore the fact that the very things that ar

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 2012-02-22 18:01, RJ Atkinson wrote: Earlier, Barry Leiba wrote, in part: What we're looking at here is the need for an HTTP authentication system that (for example) doesn't send reusable credentials, is less susceptible to spoofing attacks, and so on. +1 More generally, I support the conc

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 2/22/12 12:40 AM, Mark Nottingham wrote: Also, most of the discussions about authentication and associated problems on the Web are*not* exclusive to HTTP or even protocol artefacts; they include concerns like UI and human factors, integration into hypertext, etc. As such, what we really nee

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 2/22/12 11:39 AM, Paul Hoffman wrote: > On Feb 22, 2012, at 10:35 AM, Stephen Farrell wrote: > >> Regardless of that you do have a fair point that asking apps folks >> to do stuff that'll please security folks might be asking for >> trouble:-) >> >> However, the counter to that is that securit

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Feb 22, 2012, at 10:35 AM, Stephen Farrell wrote: > Regardless of that you do have a fair point that asking > apps folks to do stuff that'll please security folks might > be asking for trouble:-) > > However, the counter to that is that security folks doing > stuff without enough apps input mi

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 02/22/2012 05:52 PM, Paul Hoffman wrote: On Feb 22, 2012, at 9:39 AM, Peter Saint-Andre wrote: The WebSec WG is in the Applications Area. Yeeps! My apologies. I guess seeing a room full of security regulars made me forget. Regardless of that you do have a fair point that asking apps

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Feb 22, 2012, at 9:39 AM, Peter Saint-Andre wrote: > The WebSec WG is in the Applications Area. Yeeps! My apologies. I guess seeing a room full of security regulars made me forget. --Paul Hoffman ___ Ietf mailing list Ietf@ietf.org https://www.iet

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 2/22/12 10:31 AM, Paul Hoffman wrote: > The earnest calls for better authentication on this thread appear to > ignore the fact that the very things that are being requested were > put out of scope for the websec WG in their charter. I hope that no > one things that a WG in the Applications Area

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

The earnest calls for better authentication on this thread appear to ignore the fact that the very things that are being requested were put out of scope for the websec WG in their charter. I hope that no one things that a WG in the Applications Area will be better equipped to come up with a bett

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

Earlier, Barry Leiba wrote, in part: > What we're looking at here is the need for an HTTP authentication > system that (for example) doesn't send reusable credentials, > is less susceptible to spoofing attacks, and so on. +1 More generally, I support the concerns raised by Stephen Farrell, Wes H

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

It seems like what would be useful would be a way of bringing in trusted third-parties into authentication that didn't look like a man-in-the-middle attack, and didn't rely on JavaScript. SAML "federation" (e.g. Shibboleth) is layered on top of HTML+HTTP, but it, and most of the other existing

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

Hi, Having been involved in adding security after-the-fact to SNMP, and to Syslog, and adding authorization after-the-fact to netconf, I know it is extremely difficult to add security "later". I strongly believe that if http is going to be redesigned enough to justify a 2.0 label, then security s

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

Barry Leiba wrote: browser id, openid, and oauth are all authentication frameworks built on top of HTTP OAuth is an authorization framework, not an authentication one. Please be careful to make the distinction. What we're looking at here is the need for an HTTP authentication system that (fo

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

Hi Julian, On 02/21/2012 06:50 PM, Julian Reschke wrote: On 2012-02-21 19:37, Stephen Farrell wrote: ... I believe this should be orthogonal to HTTP/2.0. Is there a specific thing that makes it impossible to use the existing authentication framework? Who knows? We don't have a protocol on t

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Wed, 22 Feb 2012, Julian Reschke wrote: > On 2012-02-22 08:04, David Morris wrote: > > > > > > On Tue, 21 Feb 2012, Michael Richardson wrote: > > > > > > > > > > > > > "Barry" == Barry Leiba writes: > > > Barry> OAuth is an authorization framework, not an authentication > > >

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

> On Tue, 21 Feb 2012 23:01:09 +, Stephen Farrell > said: >> The approach we're advocating for this WG is to solicit well-formed >> proposals, select one and develop it. >> >> If there isn't one for HTTP authentication, how are you advocating we >> proceed? SF> Right now, I'm inte

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

Barry Leiba wrote: browser id, openid, and oauth are all authentication frameworks built on top of HTTP OAuth is an authorization framework, not an authentication one. Please be careful to make the distinction. What we're looking at here is the need for an HTTP authentication system that (fo

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

Julian Reschke wrote: And includes the ability for the user to logoff / the server reset the login? Is that a protocol problem or a user agent problem? -- > Possibly both. First, its a non-issue with cookie based authenti

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 2012-02-22 08:04, David Morris wrote: On Tue, 21 Feb 2012, Michael Richardson wrote: "Barry" == Barry Leiba writes: Barry> OAuth is an authorization framework, not an authentication Barry> one. Please be careful to make the distinction. Barry> What we're looking at

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Tue, 21 Feb 2012, Michael Richardson wrote: > > > "Barry" == Barry Leiba writes: > Barry> OAuth is an authorization framework, not an authentication > Barry> one. Please be careful to make the distinction. > > Barry> What we're looking at here is the need for an HTTP >

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

> "Barry" == Barry Leiba writes: Barry> OAuth is an authorization framework, not an authentication Barry> one. Please be careful to make the distinction. Barry> What we're looking at here is the need for an HTTP Barry> authentication system that (for example) doesn't send

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 02/21/2012 10:55 PM, Mark Nottingham wrote: Stephen, The approach we're advocating for this WG is to solicit well-formed proposals, select one and develop it. If there isn't one for HTTP authentication, how are you advocating we proceed? I'm not thinking now in terms of advocating a spe

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

Stephen, The approach we're advocating for this WG is to solicit well-formed proposals, select one and develop it. If there isn't one for HTTP authentication, how are you advocating we proceed? Regards, On 22/02/2012, at 9:53 AM, Stephen Farrell wrote: > > > On 02/21/2012 10:40 PM, Mark

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 02/21/2012 10:40 PM, Mark Nottingham wrote: On 22/02/2012, at 9:19 AM, Stephen Farrell wrote: So as in my initial mail the 1st question here is, what does "modern" mean in this draft charter? E.g. does it mean "same as the current framework with different bits" or something else? If so,

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

[in-line] On Tue, Feb 21, 2012 at 2:40 PM, Mark Nottingham wrote: >> And then should it include adding some new options >> or MTI auth schemes as part of HTTP/2.0 or even looking >> at that? (I think it ought to include trying for that >> personally, even if there is a higher-than-usual risk >> o

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 22/02/2012, at 9:19 AM, Stephen Farrell wrote: > > Hi Julian, > > On 02/21/2012 06:50 PM, Julian Reschke wrote: >> On 2012-02-21 19:37, Stephen Farrell wrote: >>> ... I believe this should be orthogonal to HTTP/2.0. Is there a specific thing that makes it impossible to use the exis

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

> > browser id, openid, and oauth are all authentication frameworks built > on top of HTTP > OAuth is an authorization framework, not an authentication one. Please be careful to make the distinction. What we're looking at here is the need for an HTTP authentication system that (for example) does

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

Hi Julian, On 02/21/2012 06:50 PM, Julian Reschke wrote: On 2012-02-21 19:37, Stephen Farrell wrote: ... I believe this should be orthogonal to HTTP/2.0. Is there a specific thing that makes it impossible to use the existing authentication framework? Who knows? We don't have a protocol on t

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 2012-02-21 19:37, Stephen Farrell wrote: ... I believe this should be orthogonal to HTTP/2.0. Is there a specific thing that makes it impossible to use the existing authentication framework? Who knows? We don't have a protocol on the table yet. I would imagine that some level of backwards c

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 02/21/2012 06:33 PM, Julian Reschke wrote: On 2012-02-21 19:26, Stephen Farrell wrote: Down below, for the proposed HTTP/2.0 work it says: > * Reflecting modern security requirements and practices In some earlier discussion I asked what "modern" means there. It seems to mean at least wor

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 2012-02-21 19:26, Stephen Farrell wrote: Down below, for the proposed HTTP/2.0 work it says: > * Reflecting modern security requirements and practices In some earlier discussion I asked what "modern" means there. It seems to mean at least working well with TLS, but I'm not sure what else i

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

Down below, for the proposed HTTP/2.0 work it says: > * Reflecting modern security requirements and practices In some earlier discussion I asked what "modern" means there. It seems to mean at least working well with TLS, but I'm not sure what else is meant, if anything. In particular, I think