W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: Straw-man charter for http-bis

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Mon, 11 Jun 2007 16:27:54 +0200
To: Keith Moore <moore@cs.utk.edu>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <1181572074.8224.9.camel@henriknordstrom.net>
mån 2007-06-11 klockan 03:16 -0400 skrev Keith Moore:
 
> it's not immediately clear to me that forms+cookies+TLS, when
> well-implemented, are worse than digest.  of course, there are lots of
> potential pitfalls there.

Issues:
- Server knows the plaintext password
- Client need to support cookies
- Client need to support forms

The first is a security issue, as the user probably is reusing the same
password to multiple services.

The second two is interop issues. The use of forms authentication
assumes there will be an visible user agent and a user manually filling
in the form. This is not available in all clients.

> I suspect that the tendency to want to share authentication databases
> between HTTP and other applications puts any HTTP-specific mechanism at
> a disadvantage.

Well, it puts any secure authentication scheme different than the
primary authentication scheme of the authentication database used at a
disadvantage, no matter how it's implemented.

Where secure in this context is that the scheme is designed in such
manner that the plain-text password is not exchanged (in plain, or
reversibly encoded / encrypted)

Regards
Henrik

Received on Monday, 11 June 2007 14:28:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:10 GMT