W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: Straw-man charter for http-bis

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Sat, 09 Jun 2007 02:49:17 +0200
To: Yves Lafon <ylafon@w3.org>
Cc: Justin Erenkrantz <justin@erenkrantz.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <1181350157.4818.91.camel@henriknordstrom.net>
fre 2007-06-08 klockan 05:56 -0400 skrev Yves Lafon:

> Many sites moved away from HTTP authentication, not so much because of the 
> technical aspects of basic or digest, but mostly because there was no good 
> UI in browser.

Yes, as has been pointed out a number of times.

>  Of course browsers are not the only consumers of HTTP, far 
> from that, but when defining a new authentication scheme, having a way to 
> present it nicely in browsers would be part of the adoption path.

I would say the two is two quite separate tasks, quite independent of
each other.

- The presentation problem is needed to get solved to get web site
authors to accept HTTP authentication at all, or they will continue to
insist on using forms based authentication using plain-text login
+password just because the other alternatives doesn't "look right", not
caring about security.

- The scheme is needed to add wire security to the exchange. Digest does
a reasonably good job in protecting the wire exchange, but not quite
good enough and has a few other issues as well.

> Henrik's timeline is describing the positive outcome of creating a new 
> HTTP auth scheme.

Correct. Making changes in this area is a slow process, where the spec
writing is only a small part, comparable to getting vendor support. The
hard part is getting it generally accepted and deployed.

Regards
Henrik

Received on Saturday, 9 June 2007 00:49:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:10 GMT