W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Past Proposals for HTTP Auth Logout

From: Tim <tim-projects@sentinelchicken.org>
Date: Wed, 13 Jan 2010 08:43:58 -0800
To: Robert Sayre <sayrer@gmail.com>
Cc: ietf-http-wg@w3.org
Message-ID: <20100113164358.GR2406@sentinelchicken.org>
Hello Robert,

> > I appologize in advance if this is not an appropriate place to ask
> > this question.
> 
> Feel free to ask questions, but this group is not chartered to add
> features to HTTP authentication schemes. The charter is here:
> 
> <http://www.ietf.org/dyn/wg/charter/httpbis-charter.html>

Yes, I understand.  Sorry if you feel I've hijacked the list.  Just
couldn't find a better place to ask questions or solicit discussion.
I merely wanted to make sure my understanding of issues was firm
before proposing changes to the security community.  I hope to follow
up with an RFC draft if it makes sense in the future.


> That would address one shortcoming of those schemes, but they both
> have more fundamental problems. See
> 
> <http://tools.ietf.org/html/draft-ietf-httpbis-security-properties-03#section-2.2>


Yes, of course these cannot be considered secure on their own.
However, for various reasons not mentioned in that document, I
consider form+cookie authentication much worse than say, the HTTP
digest scheme.  (I will back this up with some arguments in the paper
I mentioned I'm working on.)  All would require something like TLS to
be truly safe, but I think a better way forward (than continued
reliance on cookies) is to make HTTP authentication viable again to
allow for more better designed, standardized, authenticaiton
protocols.


Regards,
tim
Received on Wednesday, 13 January 2010 16:44:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:16 GMT