WebTransport can't use HTTP authentication?

[LPardue]

In other parts of the IETF, we've been discussing how WebTransport is attractive because we can use HTTP authentication techniques during the WT session creation. This seems to be an accepted assumption that I haven't seen challenged (but I might just have missed that). Therefore, I was a bit surprised by the statement in the overview security considerations that says

WebTransport does not support any traditional means of HTTP-based authentication. It is not necessarily based on HTTP, and hence does not support HTTP cookies or HTTP authentication.

Perhaps this statement is true for the abstract overview but then the WebTransport over HTTP/X drafts don't speak about authentication at all, which seems to leave the reader in a position where its unclear what could be used in reality.

Is HTTP authentication really not supported, or is this just a gap that grew in the document family as we developed them?

[vasilvv]

It is definitely true that it not supported in the browsers. I imagine a native client can send whatever headers it wants, including HTTP auth.

[LPardue]

Sounds like it's half true based on an implementation decision 😀

Also makes me wondering when people building on top of WebTransport talk about auth, if they mean standard techniques or some hand-rolled thing

[DavidSchinazi]

Chair: briefly discussed in slide at IETF 120. Sounds like we do need to revisit the auth text