Re: OT re HTTP auth disassocation of credentials from Yutaka OIWA on 2011-10-04 (ietf-http-wg@w3.org from October to December 2011)

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Tue, 04 Oct 2011 18:02:27 +0900
To: ietf-http-wg@w3.org
CC: "http-auth@ietf.org" <http-auth@ietf.org>
Message-ID: <4E8ACBA3.3030302@aist.go.jp>

Dear all,
(added http-auth mailing list, responses preferred to this list)

recently some browser vendors are trying incorporating authentication
control with the browser's identity management mechanisms, and they
propose some HTML/JavaScript level extensions for it.
If you just need log-out feature, and if you can assume JavaScript support,
it may just work for you.  I think this trend may allow us a small icon
for authentication control, hopefully.

I am working from a bit different viewpoint, making HTTP authentication
support more features which is currently only available via Form-based
authentications, not limited to log-out control.
My proposal is currently in a part of my new HTTP authentication scheme
draft (draft-oiwa-http-mutualauth-09), and I am planning to make it
a separate draft in the next revision.

I put "pre-draft" on our Web page at

<https://www.rcis.aist.go.jp/special/MutualAuth/files/spec/draft-oiwa-http-auth-extension-pre00.4.txt>

(or < https://bit.ly/o3MDq4 > if line wrapping is nasty), and I will submit -00
draft possibly before the Taiwan meeting.
Again, it may be over-engineered for log-out only, but please have a look,
and if you're going to or wish to extend HTTP, it may serve for your needs.

On 09/20/11 06:28, Adrien de Croy wrote:
> 
> I think it would me more useful if it could be controlled from the server. 
> Hence a status or header.
> 
> However, for browser vendors, since finding screen real-estate is such a
> problem, an approach could be taken similar to the one used to show that a
> sight is using TLS and to see certificate information.  E.g. a small icon
> showing that the request is authenticated, which could then give details of the
> method, and an option to log out.
> 
> Adrien
> 
> 
> On 20/09/2011 12:43 a.m., Karl Dubost wrote:
>> Le 19 sept. 2011 à 02:37, Jan Algermissen a écrit :
>>> FWIW I'd rather see browsers put a logout-button right in the browser GUI.
>>> The button could simply cause the browser to stop sending the credentials.
>>
>> As much as I could see the benefit for it. I do not think this will fly for
>> browser vendors. They are all currently trying to simplify the UI and
>> minimize it. There is also the balance in between introducing a new UI
>> feature with the number of times this (HTTP Auth) will be used. For example,
>> Firefox removed the RSS icon (by default).
>>
>> PS: not advocating for any sides of the issue.
>>
>

Received on Tuesday, 4 October 2011 09:03:06 UTC