Re: Please review: http gss authentication mech

To: Martin Rex <martin.rex at sap.com>
Subject: Re: Please review: http gss authentication mech
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Fri, 17 Nov 2006 15:48:58 -0600
Cc: kitten at ietf.org, lisa at osafoundation.org, Tim.Alsop at CyberSafe.Com
In-reply-to: <200611140007.BAA02672@uw1048.wdf.sap.corp>
List-archive: <http://www1.ietf.org/pipermail/kitten>
List-help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-post: <mailto:kitten@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
Mail-followup-to: Martin Rex <martin.rex at sap.com>, RL 'Bob' Morgan <rlmorgan at washington.edu>, kitten at ietf.org, lisa at osafoundation.org, Tim.Alsop at CyberSafe.Com
References: <Pine.LNX.4.64.0611091518560.1006@perf.cac.washington.edu> <200611140007.BAA02672@uw1048.wdf.sap.corp>
User-agent: Mutt/1.5.7i

On Tue, Nov 14, 2006 at 01:07:10AM +0100, Martin Rex wrote:
> Traditional Web-Browsers have only limited functionality to replicate
> session authentication tokens in successor requests.
>  - basic authentication credentials
>  - cookies
> however only cookies can be set on request of the server.
> 
> It would have been a good idea to have the browser replicate
> a server-issued (crypgraphically strong) token on a www-authenticate:
> header field for every successive request after a gss/spnego handshake,
> but it appears the designers of the rfc4559 authentication scheme forgot to
> specify this, so right now, the use of non-persistent cookies and
> a preference or requirement of an SSL/TLS protected communication channel
> is probably the most portable design approach (with the least impact
> on the creative features of middle-boxes).  If reverse proxies with
> load balacing to the backend are involved, the session re-authentication
> token must contain enough plaintext information for the reverse proxy
> to find the backend server that created this session for repeated
> or new network connections.

Yes, we shan't forget that.  It's crucial for HTTP 1.0 operation.

Nico
-- 

_______________________________________________
Kitten mailing list
Kitten at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

References:
- Re: Please review: http gss authentication mech
  - From: RL 'Bob' Morgan
- Re: Please review: http gss authentication mech
  - From: Martin Rex

Prev by Date: Re: Stacking order
Next by Date: Re: Please review: http gss authentication mech
Previous by thread: Re: Please review: http gss authentication mech
Next by thread: RE: Please review: http gss authentication mech
Index(es):
- Date
- Thread

Re: Please review: http gss authentication mech

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.