W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: Straw-man charter for http-bis

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Tue, 19 Jun 2007 15:42:25 +0200
To: Robert Sayre <rsayre@mozilla.com>
Cc: ietf-http-wg@w3.org
Message-Id: <1182260545.31612.57.camel@henriknordstrom.net>
tis 2007-06-19 klockan 01:14 +0000 skrev Robert Sayre:

> I don't think it's worth implementing something like that for Basic or 
> Digest, given the known weaknesses they have. To make this effective, 
> the UI will still need to be "chrome" (trusted UI from the browser), but 
> allow some presentation control as well. Personally, I'm not comfortable 
> giving users security cues of that sort with the existing schemes, so I 
> think an authentication scheme that satisfies most of the requirements 
> in the Hartman draft is a prerequisite.

Kerberos Negotiate also has the same presentation problem.

It's a generic UI problem quite independent from the actual
authentication scheme, but needing to support multiple schemes. And as
you say figuring out the right level of control requires a bit of

If this is not started until there is a strong authentication scheme
available it will take even longer, and additionally considerably less
people will be interested in seeing the task of finding a better
authentication scheme to move forward.

The current set of at least 4 schemes (Basic, Digest, NTLM, Negotiate)
is more than sufficient as a test bed to figure out the correct UI
requirements, including the ability to inform the user about the
technical strength of each.. so even without a stronger authentication
scheme being available right now there is a lot to benefit.


Received on Tuesday, 19 June 2007 13:42:39 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:42 UTC