W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: Straw-man charter for http-bis

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 19 Jun 2007 10:40:48 +0200
Message-ID: <46779690.1010706@gmx.de>
To: Robert Sayre <rsayre@mozilla.com>
CC: ietf-http-wg@w3.org

Robert Sayre wrote:
>  Henrik Nordstrom wrote:
>> Yes, and is what has been proposed several times, in several threads on
>> the topic.. but no detailed proposal written down yet.
>>
>> I would very much welcome a proposal from some browser vendor on this.
>> It's mainly browser technology which needs updates to adopt a feature
>> like this, on the server side it's most often just reconfiguration or at
>> worst trivial changes depending on the fine details of the proposed
>> extension and nature of the server implementation of 401 responses.
> 
> I don't think it's worth implementing something like that for Basic or 
> Digest, given the known weaknesses they have. To make this effective, 
> the UI will still need to be "chrome" (trusted UI from the browser), but 
> allow some presentation control as well. Personally, I'm not comfortable 
> giving users security cues of that sort with the existing schemes, so I 
> think an authentication scheme that satisfies most of the requirements 
> in the Hartman draft is a prerequisite.
> 
> The technical details of the 401 response won't be too difficult, but 
> figuring out the right level of presentation control for site authors 
> will probably require a good deal of research and experimentation.

I do agree with the latter, and therefore I disagree with you said before.

Trying to do everything at the same time may lead that nothing at all is 
done in the end. Thus starting the experiments around enhancing browser 
with respect to 401 and login forms should start as soon as possible.

Best regards, Julian
Received on Tuesday, 19 June 2007 08:41:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:10 GMT