W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: [saag] [apps-discuss] [websec] [kitten] HTTP authentication: the next generation

From: John C Klensin <john-ietf@jck.com>
Date: Fri, 17 Dec 2010 06:11:11 -0500
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
cc: smb@cs.columbia.edu, apps-discuss@ietf.org, Common@core3.amsl.com, http-auth@ietf.org, ietf-http-wg@w3.org, kitten@ietf.org, saag@ietf.org, websec@ietf.org
Message-ID: <97844CCF96DABB3B5F2A976F@[192.168.1.128]>


--On Friday, December 17, 2010 6:18 PM +1300 Peter Gutmann
<pgut001@cs.auckland.ac.nz> wrote:

> John C Klensin <john-ietf@jck.com> writes:
> 
>> We could round up a collection of UI experts to look at some
>> of these things  and have them shake their heads and say
>> "royal mess you have gotten yourselves  into".
> 
> The problem isn't that UI experts haven't looked at this,
> there have been a  large number of papers published on this
> problem over the last decade or so,  it's that it's proven
> pretty much impossible to get any action taken over it.  The
> browser approach is "PKI isn't working, so we'll respond with
> even more  PKI (EV certs) while stridently ignoring any
> workable alternatives (TLS-SRP  and -PSK)", and there's no
> sign that this will ever change.  There simply isn't a hammer
> big enough to force a change here (or, if there is, no-one's
> managed  to identify it yet).

I perhaps should have said "...yet another collection of UI
experts..." and "shake their heads again...".

But I don't think we disagree: from my point of view, you are
just describing some aspects of what I tried to summarize as
"royal mess".   I do think there is at least one big enough
hammer although I'm not predicting we will get there soon and
really don't like seeing protocols designed by a sequence of
disaster, legal action, and legislation.  And, I am not, for the
record, offering an opinion as to whether the approaches you
suggest are workable and/or the right answers.

   john
Received on Friday, 17 December 2010 11:11:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:34 GMT