W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Past Proposals for HTTP Auth Logout

From: Tim <tim-projects@sentinelchicken.org>
Date: Wed, 13 Jan 2010 08:43:58 -0800
To: Robert Sayre <sayrer@gmail.com>
Cc: ietf-http-wg@w3.org
Message-ID: <20100113164358.GR2406@sentinelchicken.org>
Hello Robert,

> > I appologize in advance if this is not an appropriate place to ask
> > this question.
> Feel free to ask questions, but this group is not chartered to add
> features to HTTP authentication schemes. The charter is here:
> <http://www.ietf.org/dyn/wg/charter/httpbis-charter.html>

Yes, I understand.  Sorry if you feel I've hijacked the list.  Just
couldn't find a better place to ask questions or solicit discussion.
I merely wanted to make sure my understanding of issues was firm
before proposing changes to the security community.  I hope to follow
up with an RFC draft if it makes sense in the future.

> That would address one shortcoming of those schemes, but they both
> have more fundamental problems. See
> <http://tools.ietf.org/html/draft-ietf-httpbis-security-properties-03#section-2.2>

Yes, of course these cannot be considered secure on their own.
However, for various reasons not mentioned in that document, I
consider form+cookie authentication much worse than say, the HTTP
digest scheme.  (I will back this up with some arguments in the paper
I mentioned I'm working on.)  All would require something like TLS to
be truly safe, but I think a better way forward (than continued
reliance on cookies) is to make HTTP authentication viable again to
allow for more better designed, standardized, authenticaiton

Received on Wednesday, 13 January 2010 16:44:29 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 October 2015 05:36:38 UTC