On 5/10/19 6:47 PM, Nico Williams wrote:
MITM proxies introduce their own horrors and they are an example of the
cost of trying to remain principled in an unprincipled world. We could do
MITM in a much better way than we have ended up with. But we can't come to
consensus on a protocol of that sort.
Consensus isn't the problem. The problem is that HTTP/1.x was so
trivial to implement (bash + printf + nc can do it) that there are too
many "stacks" in which to implement something new, so it can't be done.
Number of implementations (which can be related to ease of
implementations) is something that I suspect affects which of EKR's
equilibrium points the situation ends up in. A protocol that's easy to
implement should be considered a success, IMO, but it does make it
harder to evolve the protocol.
(These days there's a bit of religious dogma floating around the idea
that everyone should keep all of their protocol stacks current. While
I understand the sentiment, and often agree in specific cases, I'm not
sure it scales well especially into the IoT world. There's something
to be said for a protocol that's so well-designed and stable that it
doesn't need to be upgraded, and stable enough that it's worth spending
the time to get the implementation right the first time. I'm sure some
people regard that as heresy, but there are lots of negative
consequences associated with constantly having to have upgrades,
including increased development/maintenance cost, increased
interoperability failures, and increased vendor lockin.)
This is also why 3xx redirect-based authentication methods are winning
over as-originally-intended 401 / WWW-Authenticate / Authorization
methods. It's easier to implement redirect chasing than to implement a
pluggable authentication method framework. (Also, it's easier on server
devs to use redirects.) I just wish 3xx and 401 weren't mutually
exclusive. I posted to art@xxxxxxxx a few weeks ago about that got no
replies, sadly.
It has long seemed to me that the early available 401-based methods (by
which I mean the ones available in browsers from mid to late 1990s)
failed largely because of their inflexibility and relatively poor user
experience provided by the browsers, and especially because avoiding 401
altogether and using redirects and cookies instead allowed each site to
customize the login user experience. Then the latter became widely
held mindshare that redirects and cookies are how you do
authentication. Which is very unfortunate, because cookies are an
absolute disaster and it's very hard to see how to get rid of them.
(Even though at least some of their problems were obvious from the
start, and IETF tried to fix them multiple times.)
Keith
