Client development for HTTP Negotiate
Nico Williams
nico at cryptonector.com
Thu Feb 28 13:39:49 EST 2013
On Thu, Feb 28, 2013 at 11:30 AM, Russ Allbery <rra at stanford.edu> wrote:
> Nico Williams <nico at cryptonector.com> writes:
>> You basically have to initialize a new security context for every HTTP
>> request. This sucks. You can avoid this only by creating a "session".
>> Traditionally that means "use cookies". Or you could implement one of
>> several proposals for "session continuation" based on session IDs and
>> per-request/response MACs binding requests/responses to sessions.
>
> The pain here is inherent in the HTTP security model or, rather, lack
> thereof. Almost every other widely-used protocol has some inherent way of
> establishing a persistent security context that is used for subsequent
> protocol commands. HTTP doesn't; you essentially have to repeat yourself
> with every request because it was designed to be stateless. This applies
> to all HTTP security mechanisms; it's just that most of the widely used
> ones don't care about context.
HTTP doesn't define a "session continuation" [see below] mechanism,
but it doesn't stop you from layering one above HTTP either. The way
websites do it is with cookies, with attendant problems (namely: a)
cookies are bearer tokens, b) the web security model often results in
sites being able to use cookies to track your visits to other sites
with whom they have a relationship of some sort).
> I was very sad when I heard about SPDY, looked at the protocol briefly,
> and discovered that it apparently doesn't fix this. Hopefully I'm just
> missing something.
The IETF WEBSEC WG will propose (at IETF 86) adopting as a working
group item both, a description of the problem, and one or more
solutions (though only one solution should make it to Standards-Track
RFC status).
The I-D being proposed as the problem description RFC is
http://tools.ietf.org/html/draft-williams-websec-session-continue-prob-00
.
The I-D I'm proposing as the starting point for a solution is
http://tools.ietf.org/html/draft-williams-websec-session-continue-proto-00
. (Yes, it needs work.)
Nico
--
More information about the krbdev
mailing list