W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements

From: Ingo Struck <lists@ingostruck.de>
Date: Sat, 21 Oct 2006 19:17:28 +0000
To: "Robert Sayre" <sayrer@gmail.com>
Cc: "Henrik Nordstrom" <hno@squid-cache.org>, "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <200610211917.35898.lists@ingostruck.de>

Robert, Henrik,

> > fre 2006-10-20 klockan 14:12 -0400 skrev Robert Sayre:
> > > HTTP security now takes place via forms, cookies, redirects, and
> > > rubber bands.
> >
> > And to be honest mainly because web designers is not happy with how the
>
> That is one reason. The ad-hoc stuff can be more secure than the
> standard schemes, too.
I Never encountered any ad-hoc stuff that was better than Basic, though.
Not to speak of digest. Especially nonces and mutual auth cannot
reasonably be done using cookies or any solution "above" the protocol.

> Also, there is no logout button. I plan to take care of both problems
> for new schemes in Mozilla.
This is one real showstopper. There must be a mechanism
for the client to drop the "session". For the server there
is no problem to drop it -- just send a new challenge.

> Need a markup widget to clear HTTP credentials
> <https://bugzilla.mozilla.org/show_bug.cgi?id=355319>
This could be a requirement of any auth-scheme too, but
fixing this "bug" is a good thing.

Kind regards

Ingo Struck
Received on Saturday, 21 October 2006 18:14:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT