There is one other thing I would add to auth:
Ability for a challenger to identify itself, and for a response to
target a challenger.
Currently with chained proxies, it's not possible to reliably pass
challenges and creds back to the client. A proxy looking at a request
would need to
tis 2012-02-21 klockan 19:50 +0100 skrev Julian Reschke:
Well, we have an existing authentication framework. It would be
interesting to find out what's missing from it.
My take is better secure authentication schemes (not plaintext password
based) which is cleanly specified to a level that
lör 2012-02-25 klockan 14:13 + skrev Stephen Farrell:
I don't agree with you there - the perceived low probability that
something will be deployed is a real disincentive here. We have had
people wanting to do work on this and have been told there's no point
because it won't get adopted.
lör 2012-02-25 klockan 17:44 + skrev Stephen Farrell:
I don't think fixing or changing the framework will give us better
auth schemes by itself. (Better auth schemes may or may not require
changes to the framework, I dunno.)
Obviously not. Fixing the framework giving better use of auth
lör 2012-02-25 klockan 19:23 +0100 skrev Julian Reschke:
Well, I'm one of the editors of the authentication framework spec, so if
there's something wrong with it, I'd like to know.
Only the thing said earluer
- Define how servers may influence the visible appearance of the login
action
-
hat type='AD'/
On 2/21/12 11:10 AM, IESG Secretary wrote:
A modified charter has been submitted for the Hypertext Transfer
Protocol Bis (httpbis) working group in the Applications Area of the
IETF. The IESG has not made any determination as yet. The modified
charter is provided below for
+1
On Thu, Mar 1, 2012 at 9:50 AM, Peter Saint-Andre stpe...@stpeter.im wrote:
hat type='AD'/
On 2/21/12 11:10 AM, IESG Secretary wrote:
A modified charter has been submitted for the Hypertext Transfer
Protocol Bis (httpbis) working group in the Applications Area of the
IETF. The IESG has
On 01/03/2012 17:50, Peter Saint-Andre wrote:
Stephen and I just had a chat about this matter. He and I came up with a
proposed paragraph to add after that list of bullet points:
In the initial phase of work on HTTP/2.0, new proposals
for authentication schemes can be made. The WG
At 09:50 01-03-2012, Peter Saint-Andre wrote:
Stephen and I just had a chat about this matter. He and I came up with a
proposed paragraph to add after that list of bullet points:
In the initial phase of work on HTTP/2.0, new proposals
for authentication schemes can be made. The WG will
On 3/1/12 11:05 AM, SM wrote:
At 09:50 01-03-2012, Peter Saint-Andre wrote:
Stephen and I just had a chat about this matter. He and I came up with a
proposed paragraph to add after that list of bullet points:
In the initial phase of work on HTTP/2.0, new proposals
for authentication
[ no hat ]
On 3/1/12 11:01 AM, Nick Hilliard wrote:
On 01/03/2012 17:50, Peter Saint-Andre wrote:
Stephen and I just had a chat about this matter. He and I came up with a
proposed paragraph to add after that list of bullet points:
In the initial phase of work on HTTP/2.0, new proposals
On Mar 1, 2012, at 10:01 AM, Nick Hilliard wrote:
Can I suggest you also include authorization capabilities as a core
component of this. It's not much use to have people able to authenticate
themselves to a system if that system doesn't also provide a framework for
allowing the server-side
On Mar 1, 2012, at 10:05 AM, SM wrote:
At 09:50 01-03-2012, Peter Saint-Andre wrote:
Stephen and I just had a chat about this matter. He and I came up with a
proposed paragraph to add after that list of bullet points:
In the initial phase of work on HTTP/2.0, new proposals
for
WFM. Thanks, Peter.
On 02/03/2012, at 4:50 AM, Peter Saint-Andre wrote:
hat type='AD'/
On 2/21/12 11:10 AM, IESG Secretary wrote:
A modified charter has been submitted for the Hypertext Transfer
Protocol Bis (httpbis) working group in the Applications Area of the
IETF. The IESG has not
On 24 feb 2012, at 17:43, John C Klensin john-i...@jck.com wrote:
It is
the number of folks who, for lots of reasons, haven't upgraded
from operating systems, resolvers, etc., that don't support
newer RRTYPES.
As I said, people disagree... ;-)
As far as I know, there is nothing in any of
I wonder if it would be helpful for people to outline what they expect
are the issues to be solved by doing more work on an HTTP auth mechanism.
I get the feeling that some think the scope would encompass providing
auth support for web applications, whereas others are mainly concerned
with
Hi Adrien,
On Sun, Feb 26, 2012 at 02:54:01PM +1300, Adrien de Croy wrote:
I wonder if it would be helpful for people to outline what they expect
are the issues to be solved by doing more work on an HTTP auth mechanism.
I get the feeling that some think the scope would encompass providing
On Fri, Feb 24, 2012 at 05:57:31PM +0100, Patrik Fältström wrote:
I am asking more generally why specifically this DNS issue is so stuck,
because I think that is unfair. We upgrade other protocols...
Because in HTTP, anybody can be anywhere. You can have client-side proxies,
server-side
--On Friday, February 24, 2012 17:57 +0100 Patrik Fältström
pat...@frobbit.se wrote:
On 24 feb 2012, at 17:43, John C Klensin john-i...@jck.com
wrote:
It is
the number of folks who, for lots of reasons, haven't upgraded
from operating systems, resolvers, etc., that don't support
In message 20120226064025.gh8...@1wt.eu, Willy Tarreau writes:
On Fri, Feb 24, 2012 at 05:57:31PM +0100, Patrik F=E4ltstr=F6m wrote:
I am asking more generally why specifically this DNS issue is so stuck,
because I think that is unfair. We upgrade other protocols...
Because in HTTP,
On Feb 26, 2012, at 2:44 AM, Mark Nottingham wrote:
I proposed a plan that I think might allow us to make progress
on that. I believe we could.
OK, great.
Could you please explain why you think tying this effort to HTTP/2.0 is
necessary to achieve that? To me that's the critical
On 2012-02-26 10:44, Yoav Nir wrote:
...
Could you please explain why you think tying this effort to HTTP/2.0 is
necessary to achieve that? To me that's the critical bit, and I still haven't
seen the reasoning (perhaps I missed it).
I think I have *an* answer to this, though probably not
Zc
-Original Message-
From: Yoav Nir
Sent: 26.02.2012, 11:45
To: Mark Nottingham
Cc: The IESG; ietf-http...@w3.org Group; IETF-Discussion Discussion
Subject: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)
On Feb 26, 2012, at 2:44 AM, Mark Nottingham wrote:
I
On 02/26/2012 01:54 AM, Mark Nottingham wrote:
On 26/02/2012, at 12:32 PM, Stephen Farrell wrote:
Could you please explain why you think tying this effort to HTTP/2.0 is
necessary to achieve that? To me that's the critical bit, and I still haven't
seen the reasoning (perhaps I missed it).
Hiya,
On 02/25/2012 02:05 AM, Mark Nottingham wrote:
Hi Stephen,
On 24/02/2012, at 11:54 PM, Stephen Farrell wrote:
On 02/24/2012 01:24 AM, Roy T. Fielding wrote:
On Feb 23, 2012, at 5:18 PM, Tim Bray wrote:
On Thu, Feb 23, 2012 at 5:13 PM, Roy T. Fieldingfield...@gbiv.com wrote:
How
On 2012-02-25 14:46, Stephen Farrell wrote:
...
Yeah that's a tricky one. While one might like to
see one or more in both places that might not be
practical.
In the proposal above the goal is that httpbis pick one
or more but recognising the reality that we might not get
a new proposal that
On 02/25/2012 02:03 PM, Julian Reschke wrote:
On 2012-02-25 14:46, Stephen Farrell wrote:
...
Yeah that's a tricky one. While one might like to
see one or more in both places that might not be
practical.
In the proposal above the goal is that httpbis pick one
or more but recognising the
On 2012-02-25 15:13, Stephen Farrell wrote:
On 02/25/2012 02:03 PM, Julian Reschke wrote:
On 2012-02-25 14:46, Stephen Farrell wrote:
...
Yeah that's a tricky one. While one might like to
see one or more in both places that might not be
practical.
In the proposal above the goal is that
On 02/25/2012 02:20 PM, Julian Reschke wrote:
On 2012-02-25 15:13, Stephen Farrell wrote:
On 02/25/2012 02:03 PM, Julian Reschke wrote:
If we just need a new authentication scheme, nothing stops people from
working on that right now.
I don't agree with you there - the perceived low
On 2012-02-25 18:44, Stephen Farrell wrote:
...
I don't think fixing or changing the framework will give us better
auth schemes by itself. (Better auth schemes may or may not require
changes to the framework, I dunno.)
So I think you're raising a side issue here really.
...
Well, I'm one of
On 02/25/2012 06:23 PM, Julian Reschke wrote:
On 2012-02-25 18:44, Stephen Farrell wrote:
...
I don't think fixing or changing the framework will give us better
auth schemes by itself. (Better auth schemes may or may not require
changes to the framework, I dunno.)
So I think you're raising a
On 26/02/2012, at 1:13 AM, Stephen Farrell wrote:
If we just need a new authentication scheme, nothing stops people from
working on that right now.
I don't agree with you there - the perceived low probability that
something will be deployed is a real disincentive here. We have had
people
Mark,
I was going to respond blow-by-blow but there's not much
point in that, other than to say that your mail seems to
me a tad over the top.
(Maybe you misinterpreted me describing what might happen
as some kind of threat to try slow people down or something,
I don't know. I do know that I
On 26/02/2012, at 11:40 AM, Stephen Farrell wrote:
Mark,
I was going to respond blow-by-blow but there's not much
point in that, other than to say that your mail seems to
me a tad over the top.
Sorry if you think so. I'm VERY sensitive to the risks that we're undertaking
here, and I
On 02/26/2012 12:44 AM, Mark Nottingham wrote:
On 26/02/2012, at 11:40 AM, Stephen Farrell wrote:
Mark,
I was going to respond blow-by-blow but there's not much
point in that, other than to say that your mail seems to
me a tad over the top.
Sorry if you think so. I'm VERY sensitive to
On 26/02/2012, at 12:32 PM, Stephen Farrell wrote:
Could you please explain why you think tying this effort to HTTP/2.0 is
necessary to achieve that? To me that's the critical bit, and I still
haven't seen the reasoning (perhaps I missed it).
That's a fair question that doesn't have a
On 02/24/2012 01:24 AM, Roy T. Fielding wrote:
On Feb 23, 2012, at 5:18 PM, Tim Bray wrote:
On Thu, Feb 23, 2012 at 5:13 PM, Roy T. Fieldingfield...@gbiv.com wrote:
How many times do we have to do this before we declare insanity?
I don't care how much risk it adds to the HTTP charter. They
On Feb 24, 2012, at 4:54 AM, Stephen Farrell wrote:
Proposals for new HTTP authentication schemes are in scope.
How would a plan like the following look to folks:
- httpbis is chartered to include auth mechanism work as
per the above (or whatever text goes into the charter)
- that'll
On Fri, Feb 24, 2012 at 01:54:32PM +1100, Mark Andrews wrote:
In message 4f46bfdf.3070...@dougbarton.us, Doug Barton writes:
2782 was published 12 years ago this month. I suppose it can be
considered mature enough to deploy at this point? :)
+1000
Over in spfbis, people are arguing
On 24 feb 2012, at 16:38, Andrew Sullivan wrote:
Over in spfbis, people are arguing that the SPF RRTYPE should be
deprecated and abandoned in SPF because nobody uses it because of
practical difficulties in getting new RRTYPEs deployed. What makes us
think that the arguments in favour of SRV
On Thu, Feb 23, 2012 at 05:23:45PM -0800, Paul Hoffman wrote:
If only it were that simple. If the answer is design an HTTP auth mechanism
that is better than Digest, then this is a tractable goal. If it is get
IETF consensus on that auth mechanism, then it isn't. The latter has proven
to be
--On Friday, February 24, 2012 16:58 +0100 Patrik Fältström
p...@frobbit.se wrote:
On 24 feb 2012, at 16:38, Andrew Sullivan wrote:
Over in spfbis, people are arguing that the SPF RRTYPE should
be deprecated and abandoned in SPF because nobody uses it
because of practical difficulties in
On Feb 24, 2012, at 5:02 PM, Paul Hoffman wrote:
On Feb 24, 2012, at 4:54 AM, Stephen Farrell wrote:
Proposals for new HTTP authentication schemes are in scope.
How would a plan like the following look to folks:
- httpbis is chartered to include auth mechanism work as
per the above
Hi Stephen,
On 24/02/2012, at 11:54 PM, Stephen Farrell wrote:
On 02/24/2012 01:24 AM, Roy T. Fielding wrote:
On Feb 23, 2012, at 5:18 PM, Tim Bray wrote:
On Thu, Feb 23, 2012 at 5:13 PM, Roy T. Fieldingfield...@gbiv.com wrote:
How many times do we have to do this before we declare
On 02/24/2012 07:38, Andrew Sullivan wrote:
On Fri, Feb 24, 2012 at 01:54:32PM +1100, Mark Andrews wrote:
In message 4f46bfdf.3070...@dougbarton.us, Doug Barton writes:
2782 was published 12 years ago this month. I suppose it can be
considered mature enough to deploy at this point? :)
On 2/22/12 12:40 AM, Mark Nottingham wrote:
Also, most of the discussions about authentication and associated problems on the Web
are*not* exclusive to HTTP or even protocol artefacts; they include concerns like UI and
human factors, integration into hypertext, etc. As such, what we really
On 2012-02-22 18:01, RJ Atkinson wrote:
Earlier, Barry Leiba wrote, in part:
What we're looking at here is the need for an HTTP authentication
system that (for example) doesn't send reusable credentials,
is less susceptible to spoofing attacks, and so on.
+1
More generally, I support the
Point taken.
--
David Harrington
Director, Transport Area
Internet Engineering Task Force (IETF)
ietf...@comcast.net
+1-603-828-1401
On 2/22/12 12:31 PM, Paul Hoffman paul.hoff...@vpnc.org wrote:
The earnest calls for better authentication on this thread appear to
ignore the fact that the
On 23 Feb 2012, at 11:13 , Julian Reschke wrote:
On 2012-02-22 18:01, RJ Atkinson wrote:
Security that works well and is practical to implement
needs to be designed-in, not bolted-on later.
I would say: security needs to be orthogonal.
There are at least 2 decades of experience that
...
From: ietf-boun...@ietf.org [ietf-boun...@ietf.org] On Behalf Of RJ Atkinson
[rja.li...@gmail.com]
Sent: Thursday, February 23, 2012 8:59 AM
To: ietf@ietf.org
Subject: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)
On 23 Feb 2012, at 11:13 , Julian Reschke wrote
, 2012 8:59 AM
To: ietf@ietf.org
Subject: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)
On 23 Feb 2012, at 11:13 , Julian Reschke wrote:
On 2012-02-22 18:01, RJ Atkinson wrote:
Security that works well and is practical to implement
needs to be designed-in, not bolted
AM
To: ietf@ietf.org
Subject: Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)
On 23 Feb 2012, at 11:13 , Julian Reschke wrote:
On 2012-02-22 18:01, RJ Atkinson wrote:
Security that works well and is practical to implement
needs to be designed-in, not bolted-on later
For my money it would be quite important for an HTTP 2.0 definition to
make SRV DNS records a full-fledged participant in the standard. Minimum
once a month there is someone asking for help on bind-users@ for which
the answer is, The solution to that _would_ be SRV records, if they
were supported.
On 2012-02-23 23:33, Doug Barton wrote:
I don't *quite* go back 2 decades, but a big +1 to all my experiences
with bolt-on security have been bad.
bolt-on != modular/optional
If you want to require security in whatever comes out of this
activity, you better define what security means, and
On Feb 22, 2012, at 9:39 AM, Peter Saint-Andre wrote:
On 2/22/12 10:31 AM, Paul Hoffman wrote:
The earnest calls for better authentication on this thread appear to
ignore the fact that the very things that are being requested were
put out of scope for the websec WG in their charter. I hope
On Thu, Feb 23, 2012 at 5:13 PM, Roy T. Fielding field...@gbiv.com wrote:
How many times do we have to do this before we declare insanity?
I don't care how much risk it adds to the HTTP charter. They are
all just meaningless deadlines anyway. If we want HTTP to have
something other than
On Feb 23, 2012, at 5:13 PM, Roy T. Fielding wrote:
I don't care how much risk it adds to the HTTP charter. They are
all just meaningless deadlines anyway. If we want HTTP to have
something other than Basic (1993) and Digest (1995) authentication,
then it had better be part of *this*
On Feb 23, 2012, at 5:18 PM, Tim Bray wrote:
On Thu, Feb 23, 2012 at 5:13 PM, Roy T. Fielding field...@gbiv.com wrote:
How many times do we have to do this before we declare insanity?
I don't care how much risk it adds to the HTTP charter. They are
all just meaningless deadlines anyway. If
On Thu, Feb 23, 2012 at 5:24 PM, Roy T. Fielding field...@gbiv.com wrote:
Seriously, someone needs to propose some charter language or this
discussion is a no-op. -Tim
Proposals for new HTTP authentication schemes are in scope.
+1
I don’t think we’ll get one, but in the unlikely event
On Feb 23, 2012, at 5:23 PM, Paul Hoffman wrote:
On Feb 23, 2012, at 5:13 PM, Roy T. Fielding wrote:
I don't care how much risk it adds to the HTTP charter. They are
all just meaningless deadlines anyway. If we want HTTP to have
something other than Basic (1993) and Digest (1995)
On 24/02/2012, at 12:24 PM, Roy T. Fielding wrote:
On Feb 23, 2012, at 5:18 PM, Tim Bray wrote:
On Thu, Feb 23, 2012 at 5:13 PM, Roy T. Fielding field...@gbiv.com wrote:
How many times do we have to do this before we declare insanity?
I don't care how much risk it adds to the HTTP charter.
In message 4f46bfdf.3070...@dougbarton.us, Doug Barton writes:
For my money it would be quite important for an HTTP 2.0 definition to
make SRV DNS records a full-fledged participant in the standard. Minimum
once a month there is someone asking for help on bind-users@ for which
the answer is,
On 24 feb 2012, at 03:54, Mark Andrews wrote:
In message 4f46bfdf.3070...@dougbarton.us, Doug Barton writes:
For my money it would be quite important for an HTTP 2.0 definition to
make SRV DNS records a full-fledged participant in the standard. Minimum
once a month there is someone asking
On 2012-02-22 08:04, David Morris wrote:
On Tue, 21 Feb 2012, Michael Richardson wrote:
Barry == Barry Leibabarryle...@computer.org writes:
Barry OAuth is an authorization framework, not an authentication
Barry one. Please be careful to make the distinction.
Barry
Julian Reschke wrote:
And includes the ability for the user to logoff / the server reset the
login?
Is that a protocol problem or a user agent problem?
-- http://lists.w3.org/Archives/Public/www-archive/2012Jan/0023.html
Possibly both.
First, its a non-issue with cookie based
Barry Leiba wrote:
browser id, openid, and oauth are all authentication frameworks built
on top of HTTP
OAuth is an authorization framework, not an authentication one. Please be
careful to make the distinction.
What we're looking at here is the need for an HTTP authentication system
that
On Tue, 21 Feb 2012 23:01:09 +, Stephen Farrell
stephen.farr...@cs.tcd.ie said:
The approach we're advocating for this WG is to solicit well-formed
proposals, select one and develop it.
If there isn't one for HTTP authentication, how are you advocating we
proceed?
SF Right now, I'm
On Wed, 22 Feb 2012, Julian Reschke wrote:
On 2012-02-22 08:04, David Morris wrote:
On Tue, 21 Feb 2012, Michael Richardson wrote:
Barry == Barry Leibabarryle...@computer.org writes:
Barry OAuth is an authorization framework, not an authentication
Barry
Hi Julian,
On 02/21/2012 06:50 PM, Julian Reschke wrote:
On 2012-02-21 19:37, Stephen Farrell wrote:
...
I believe this should be orthogonal to HTTP/2.0. Is there a specific
thing that makes it impossible to use the existing authentication
framework?
Who knows? We don't have a protocol on
Barry Leiba wrote:
browser id, openid, and oauth are all authentication frameworks built
on top of HTTP
OAuth is an authorization framework, not an authentication one. Please be
careful to make the distinction.
What we're looking at here is the need for an HTTP authentication system
that
Hi,
Having been involved in adding security after-the-fact to SNMP, and to
Syslog, and adding authorization after-the-fact to netconf, I know it is
extremely difficult to add security later.
I strongly believe that if http is going to be redesigned enough to
justify a 2.0 label, then security
It seems like what would be useful would be a way of bringing in trusted
third-parties into authentication that didn't look like a
man-in-the-middle attack, and didn't rely on JavaScript.
SAML federation (e.g. Shibboleth) is layered on top of HTML+HTTP,
but it, and most of the other existing
Earlier, Barry Leiba wrote, in part:
What we're looking at here is the need for an HTTP authentication
system that (for example) doesn't send reusable credentials,
is less susceptible to spoofing attacks, and so on.
+1
More generally, I support the concerns raised by Stephen Farrell,
Wes
The earnest calls for better authentication on this thread appear to ignore the
fact that the very things that are being requested were put out of scope for
the websec WG in their charter. I hope that no one things that a WG in the
Applications Area will be better equipped to come up with a
On 2/22/12 10:31 AM, Paul Hoffman wrote:
The earnest calls for better authentication on this thread appear to
ignore the fact that the very things that are being requested were
put out of scope for the websec WG in their charter. I hope that no
one things that a WG in the Applications Area
On Feb 22, 2012, at 9:39 AM, Peter Saint-Andre wrote:
The WebSec WG is in the Applications Area.
Yeeps! My apologies. I guess seeing a room full of security regulars made me
forget.
--Paul Hoffman
___
Ietf mailing list
Ietf@ietf.org
On 02/22/2012 05:52 PM, Paul Hoffman wrote:
On Feb 22, 2012, at 9:39 AM, Peter Saint-Andre wrote:
The WebSec WG is in the Applications Area.
Yeeps! My apologies. I guess seeing a room full of security regulars made me
forget.
Regardless of that you do have a fair point that asking
apps
On Feb 22, 2012, at 10:35 AM, Stephen Farrell wrote:
Regardless of that you do have a fair point that asking
apps folks to do stuff that'll please security folks might
be asking for trouble:-)
However, the counter to that is that security folks doing
stuff without enough apps input might
On 2/22/12 11:39 AM, Paul Hoffman wrote:
On Feb 22, 2012, at 10:35 AM, Stephen Farrell wrote:
Regardless of that you do have a fair point that asking apps folks
to do stuff that'll please security folks might be asking for
trouble:-)
However, the counter to that is that security folks
Down below, for the proposed HTTP/2.0 work it says:
* Reflecting modern security requirements and practices
In some earlier discussion I asked what modern means
there. It seems to mean at least working well with TLS,
but I'm not sure what else is meant, if anything.
In particular, I think
On 2012-02-21 19:26, Stephen Farrell wrote:
Down below, for the proposed HTTP/2.0 work it says:
* Reflecting modern security requirements and practices
In some earlier discussion I asked what modern means
there. It seems to mean at least working well with TLS,
but I'm not sure what else is
On 02/21/2012 06:33 PM, Julian Reschke wrote:
On 2012-02-21 19:26, Stephen Farrell wrote:
Down below, for the proposed HTTP/2.0 work it says:
* Reflecting modern security requirements and practices
In some earlier discussion I asked what modern means
there. It seems to mean at least
On 2012-02-21 19:37, Stephen Farrell wrote:
...
I believe this should be orthogonal to HTTP/2.0. Is there a specific
thing that makes it impossible to use the existing authentication
framework?
Who knows? We don't have a protocol on the table yet. I
would imagine that some level of backwards
Hi Julian,
On 02/21/2012 06:50 PM, Julian Reschke wrote:
On 2012-02-21 19:37, Stephen Farrell wrote:
...
I believe this should be orthogonal to HTTP/2.0. Is there a specific
thing that makes it impossible to use the existing authentication
framework?
Who knows? We don't have a protocol on
browser id, openid, and oauth are all authentication frameworks built
on top of HTTP
OAuth is an authorization framework, not an authentication one. Please be
careful to make the distinction.
What we're looking at here is the need for an HTTP authentication system
that (for example) doesn't
On 22/02/2012, at 9:19 AM, Stephen Farrell wrote:
Hi Julian,
On 02/21/2012 06:50 PM, Julian Reschke wrote:
On 2012-02-21 19:37, Stephen Farrell wrote:
...
I believe this should be orthogonal to HTTP/2.0. Is there a specific
thing that makes it impossible to use the existing
[in-line]
On Tue, Feb 21, 2012 at 2:40 PM, Mark Nottingham m...@mnot.net wrote:
And then should it include adding some new options
or MTI auth schemes as part of HTTP/2.0 or even looking
at that? (I think it ought to include trying for that
personally, even if there is a higher-than-usual
On 02/21/2012 10:40 PM, Mark Nottingham wrote:
On 22/02/2012, at 9:19 AM, Stephen Farrell wrote:
So as in my initial mail the 1st question here is, what
does modern mean in this draft charter? E.g. does it
mean same as the current framework with different
bits or something else? If so,
Stephen,
The approach we're advocating for this WG is to solicit well-formed proposals,
select one and develop it.
If there isn't one for HTTP authentication, how are you advocating we proceed?
Regards,
On 22/02/2012, at 9:53 AM, Stephen Farrell wrote:
On 02/21/2012 10:40 PM, Mark
On 02/21/2012 10:55 PM, Mark Nottingham wrote:
Stephen,
The approach we're advocating for this WG is to solicit well-formed proposals,
select one and develop it.
If there isn't one for HTTP authentication, how are you advocating we proceed?
I'm not thinking now in terms of advocating a
Barry == Barry Leiba barryle...@computer.org writes:
Barry OAuth is an authorization framework, not an authentication
Barry one. Please be careful to make the distinction.
Barry What we're looking at here is the need for an HTTP
Barry authentication system that (for example)
On Tue, 21 Feb 2012, Michael Richardson wrote:
Barry == Barry Leiba barryle...@computer.org writes:
Barry OAuth is an authorization framework, not an authentication
Barry one. Please be careful to make the distinction.
Barry What we're looking at here is the need for an
92 matches
Mail list logo
