W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: [websec] HTTP authentication: the next generation

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 13 Dec 2010 16:39:22 +0100
Message-ID: <4D063E2A.3010108@gmx.de>
To: Peter Saint-Andre <stpeter@stpeter.im>
CC: http-auth@ietf.org, "kitten@ietf.org" <kitten@ietf.org>, websec@ietf.org, saag@ietf.org, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 10.12.2010 23:53, Peter Saint-Andre wrote:
> Is it time to start thinking about next-generation authentication
> technologies for HTTP?
>
> We all know that BASIC and DIGEST are ancient and crufty and lacking
> many features and security properties we might want, but there hasn't
> been much discussion about more modern approaches. Here are a few things
> I've found:
> ...

Probably. But while doing so, we need to look at the existing base as well.

HTTPbis now includes the HTTP authentication framework (essentially 
RFC2617 minus Basic and Digest). The HTTPbis WG is interested on 
feedback on the remaining issues (such as Realm required?, and 
considerations for new schemes).

Also, I believe Basic is not going to go away, and I'd really like to 
fix its I18N problem. Proposal here: 
<http://greenbytes.de/tech/webdav/draft-reschke-basicauth-enc-01.html>.

Best regards, Julian
Received on Monday, 13 December 2010 15:39:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:34 GMT