W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements

From: Robert Sayre <sayrer@gmail.com>
Date: Fri, 20 Oct 2006 18:12:34 -0400
Message-ID: <68fba5c50610201512v587d7bak7235cfd838ee8477@mail.gmail.com>
To: "Henrik Nordstrom" <hno@squid-cache.org>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>

On 10/20/06, Henrik Nordstrom <hno@squid-cache.org> wrote:
> fre 2006-10-20 klockan 14:12 -0400 skrev Robert Sayre:
>
> > HTTP security now takes place via forms, cookies, redirects, and
> > rubber bands.
>
> And to be honest mainly because web designers is not happy with how the

That is one reason. The ad-hoc stuff can be more secure than the
standard schemes, too.

> GUI (user-agents) presents the request for user credentials.

Also, there is no logout button. I plan to take care of both problems
for new schemes in Mozilla.

Message body not displayed on HTTP 401 status response
<https://bugzilla.mozilla.org/show_bug.cgi?id=271383>

Need a markup widget to clear HTTP credentials
<https://bugzilla.mozilla.org/show_bug.cgi?id=355319>

Obviously, there will need to be buy-in from *all* of the big browser
vendors to move toward a Web standard. Maybe the W3C activity will
have that. If not, I don't see the point. Mozilla Foundation likes
standards when they result in one Web, so I doubt they will be a
holdout :)

-- 

Robert Sayre
Received on Friday, 20 October 2006 22:12:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT