W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2011

Re: [saag] [websec] [kitten] HTTP authentication: the next generation

From: Ben Laurie <benl@google.com>
Date: Thu, 6 Jan 2011 18:16:15 +0000
Message-ID: <AANLkTi=zX+8fd7yZYsOprnJeu7L63GW9L_RzZfFZnH6e@mail.gmail.com>
To: David Morris <dwm@xpasc.com>
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, websec <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 6 January 2011 16:03, David Morris <dwm@xpasc.com> wrote:
>
>
> On Thu, 6 Jan 2011, Ben Laurie wrote:
>
>> The answer to this problem is hard, since it brings us back to taking the UI
>> out of the sites hands.
>
> Which is only helpful if you can somehow gaurantee that the user agent
> software hasn't been compromised. Not something I'd bet on...

That's rather overstating it. It's perfectly helpful when the UA
software hasn't been compromised, which is a non-zero fraction of the
time.

When the UA s/w has been compromised I'm quite happy to fail to fix
the problem: the right answer to that is to improve the robustness of
the UA.
Received on Thursday, 6 January 2011 18:19:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:36 GMT