W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation

From: Tim Morgan <tim-projects@sentinelchicken.org>
Date: Mon, 13 Dec 2010 09:10:33 -0800
To: Dave Cridland <dave@cridland.net>
Cc: Carsten Bormann <cabo@tzi.org>, Common Authentication Technologies - Next Generation <kitten@ietf.org>, websec <websec@ietf.org>, "saag\@ietf\.org" <saag@ietf.org>, "ietf-http-wg\@w3\.org Group" <ietf-http-wg@w3.org>, General discussion of application-layer protocols <apps-discuss@ietf.org>, "http-auth\@ietf\.org" <http-auth@ietf.org>
Message-ID: <20101213171033.GA2111@sentinelchicken.org>

Hi Everyone,

These last few messages do a great job outlining both the real
problems that face adoption of HTTP authentication without a
customizable user interface, and the fact that HTTP authentication is
perhaps more secure than form-based authentication (as well as being a
requirement for automated/non-GUI clients).

I did some work not long ago on this and found that we can have our
cake and eat it too.  That is, even with current browser
implementations, one can utilize HTTP Basic/Digest with an HTML form
(if desired).  (Yes, once again, HTML forms may allow for easier
phishing, etc, but that is what the HTTP Mutual authentication
proposal can address.)

My position paper is here:
  http://vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf

And some proof of concept code for forms-based HTTP authentication can
be found on this page:
  http://vsecurity.com/resources/tool


The implementation is hacky right now, because, at the time of
development and testing, browsers didn't adhere well to the draft
XMLHttpRequest standard.  I haven't checked the status of browser
implementations, but the proposed standard still requires a behavior
that is workable with such a system.


So all of these pieces are coming together on their own to allow for
forms-based HTTP authentication.  The major outstanding piece needed
for most web applications with HTTP authentication is the ability to
log out.  The ability to instruct a browser, in an standard way
(preferrably with HTTP response headers) to forget the credentials it
has cached.  Writing a draft RFC for this has been on my list for some
time, but I've been quite busy this year.  For those interested, I can
dig up some of the previous discussion threads...

cheers,
tim
Received on Monday, 13 December 2010 17:11:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:34 GMT