[Ietf-http-auth] draft-sayre-http-hmac-digest-00

Nicolas Williams Nicolas.Williams at sun.com
Tue Mar 7 15:18:49 PST 2006 

On Tue, Mar 07, 2006 at 02:33:58PM -0800, Hallam-Baker, Phillip wrote:
> > > The problem I think we need to solve is the problem of how 
> > a user can 
> > > authenticate to any Web site using an authentication 
> > technology that 
> > > they select without the need for any support from the Web 
> > site whatsoever.
> > 
> > Then you need a framework.
> 
> No, that has been done so many times, I have done it twice myself.

Which frameworks did you use/create, and in what context?

> OK we can argue the need for some form of mechanism ID to allow the
> authentication service to support different authentication protocols on
> different systems.

This is implicitly conceding that there won't be a single, global,
exclusive federation.

> > This is where abstractions help the most; lacking a proper 
> > abstraction you refer to "[a] bag of bits to send to the 
> > relevant auth server,"
> > which unnecessarily constrains the solution space in ways 
> > that are bad for security.
> 
> Before you get too much into teaching me abstraction please take a look at
> the author list on SAML 1.0, Web Services 1.0 and HTTP Digest Auth. 

Unnecessary snarking.  I don't see you proposing good abstractions here,
and that's what matters here and now.  I've my name on several
standards-track IETF documents, and several Internet-Drafts likely to
become standards-track IETF documents; so what?  If I'm wrong on
something I'm wrong, no matter what past achievements I may have.

> > A proper security mechanism abstraction (which the GSS-API 
> > is) does not so unnecessarily constrain the solution space; 
> > to the contrary, it gives mechanism designers more freedom.
> 
> The point I am making here is that to make a system work you have to make
> some decisions. GSSAPI allows those decisions to be punted off into the
> indefinite future which is why so little has got done.

If you mean the ID selection problem, well, that won't go away.

If you mean what mechanisms we choose to design, well, making it
possible to have many mechanisms *is* the point of a framework like the
GSS-API.  I see that as a feature, not a bug, but this comes from not
believing in a global, unique, exclusive ID system.

Nico
--

More information about the Ietf-http-auth mailing list