- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Mon, 11 Jun 2007 16:27:54 +0200
- To: Keith Moore <moore@cs.utk.edu>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Received on Monday, 11 June 2007 14:28:11 UTC
mån 2007-06-11 klockan 03:16 -0400 skrev Keith Moore: > it's not immediately clear to me that forms+cookies+TLS, when > well-implemented, are worse than digest. of course, there are lots of > potential pitfalls there. Issues: - Server knows the plaintext password - Client need to support cookies - Client need to support forms The first is a security issue, as the user probably is reusing the same password to multiple services. The second two is interop issues. The use of forms authentication assumes there will be an visible user agent and a user manually filling in the form. This is not available in all clients. > I suspect that the tendency to want to share authentication databases > between HTTP and other applications puts any HTTP-specific mechanism at > a disadvantage. Well, it puts any secure authentication scheme different than the primary authentication scheme of the authentication database used at a disadvantage, no matter how it's implemented. Where secure in this context is that the scheme is designed in such manner that the plain-text password is not exchanged (in plain, or reversibly encoded / encrypted) Regards Henrik
Received on Monday, 11 June 2007 14:28:11 UTC