Re: Please review: http gss authentication mech

[Lisa Dusseault <lisa at osafoundation.org>]

Tim,

Most of the history of why the HTTP-SASL draft died in IETF last call  
in 2004 can be found in the IETF I-D Tracker.  Look for "more detail"  
links under comments from Eric Rescorla, Joe Orton, Roy Fielding and  
myself.   I believe this link will work: https://datatracker.ietf.org/ 
public/pidtracker.cgi?command=view_id&dTag=6611&rfc_flag=0

We followed this up with conversations over lunch in person with  
Alexey Melnikov, Sam and others, also back in 2004, and concluded  
that the group at hand couldn't at that time think up an architecture  
that would tie SASL to HTTP without breaking intermediaries.

HTTP proxies, connections and state interact in a very complicated  
way and there is a great deal of "deployed reality" in addition to  
the specs.  I consider myself an HTTP expert yet I find it very  
difficult to be confident when this kind of thing will really work  
(you can see this from my comments in the I-D tracker from 2004,  
where I caught some issues but missed several even deeper  
architectural issues).  For example, today when a client request with  
an Authorization header resul="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Kitten mailing list
Kitten at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

--===============1763322061==--