Hi Keith,
--On May 13, 2005 12:55:16 AM -0400 Keith Moore <moore@xxxxxxxxxx> wrote:
Regarding your SMTP analogy, I don't think it is the case that adding another authentication flavor to HTTP is as simple as it was to add authentication to SMTP - first, because HTTP is much more complex than SMTP (especially in how it negotiates protocol options); second, because SMTP has a much cleaner extension model than HTTP (thank you mtr); third, because the relationships between principals tend to be different for HTTP than for SMTP; and fourth, because in the case of HTTP servers there is a significant investment in existing authentication databases and the types of credentials they support which did not exist for SMTP when authentication was added to it.
Its worth noting that the current CalDAV effort <http://www.ietf.org/internet-drafts/draft-dusseault-caldav-05.txt> (which is attempting to use WebDAV as the basis for a calendaring and scheduling protocol) would benefit from sharing an authentication database with other related services - email (IMAP, POP, SMTP etc) being the best example. Those existing protocols now typically use SASL for the authentication exchange so it would seem natural to want SASL in HTTP too so that CalDAV could be easily integrated into such environments. Unfortunately the HTTP SASL draft <http://www.ietf.org/internet-drafts/draft-nystrom-http-sasl-12.txt> proposing such a scheme has been stalled for quite a while, so progress on this front is limited. Also, I don't think it would help with the session tracking issue either.
-- Cyrus Daboo
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf