W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

RE: Next step on web phishing draft(draft-hartman-webauth-phishing-05.txt)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Sun, 9 Sep 2007 18:47:58 -0700
Message-ID: <198A730C2044DE4A96749D13E167AD37013EDBE0@MOU1WNEXMB04.vcorp.ad.vrsn.com>
To: "Iljitsch van Beijnum" <iljitsch@muada.com>, "Alexey Melnikov" <alexey.melnikov@isode.com>
Cc: <ietf-http-auth@osafoundation.org>, <discuss@apps.ietf.org>, <saag@mit.edu>, <ietf@ietf.org>, <ietf-http-wg@w3.org>

> From: Iljitsch van Beijnum [mailto:iljitsch@muada.com] 

> During the reading of this document, it occurred to me that 
> HTTP digest authentication (RFC 2617) rather than the widely 
> used practice of having security credentials be typed into an 
> HTTP form would achieve 90% of the requirements all by 
> itself. 

Well maybe if people had listened to me then :-)

But at this point fifteen years later Digest is not the way to go. First Digest was designed under the express constraint of avoiding patent encumberances. RSA and D-H were both off the table at the time.

If I was to redo Digest today or expand its scope I would do it differently. The main reason I would not is that SAML and WS-* both provide an excellent solution. I very much like and support the Cardspace idea of building into the O/S platform. I very much like the OpenID concept of making the barrier to entry very low. I would like to arrive at a happy combination of the existing proposals not see more proposals put on the table at this point.
Received on Monday, 10 September 2007 01:51:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:16 GMT