- From: figroc <figroc@gmail.com>
- Date: Thu, 28 Jan 2010 19:09:46 +0800
- To: Tim <tim-projects@sentinelchicken.org>
- Cc: ietf-http-wg@w3.org
Hi Tim,
Rather introducing the new Authentication-Control header, I'd
prefer utilize the Authentication-Info header. For the current
request, HTTP server still needs to send the response with
Authentication-Info header, we can just add a new parameter, such as
terminate="true" as presented in your paper.
As for customizable login form, there are some proposals
suggesting integration with HTML5 form authentication which talk about
sending authentication information through normal form submission. I'd
rather let HTML5 capable browsers submit authentication information
through Authorization header, that'd be more consistent. If we allow
WWW-Authentication present in 2xx/3xx response, legacy browsers will
act as usual.
BTW, why don't we introduce SRP to HTTP authentication? In my
experience, that servers must store password hashes (A1 values) which
can be used to authenticate against server directly is a big security
drawback.
Regards,
On Wed, Jan 27, 2010 at 2:28 AM, Tim <tim-projects@sentinelchicken.org> wrote:
>
> Hello,
>
> I've finally published the paper I mentioned previously in relation to
> this thread:
> http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
>
> Thanks to everyone who provided suggestions. I'm very much interested
> in any feedback on the paper itself, for those who have time to trudge
> through it.
>
> cheers,
> tim
>
>
Received on Thursday, 28 January 2010 11:10:22 UTC