- From: Albert Lunde <atlunde@panix.com>
- Date: Wed, 22 Feb 2012 10:32:19 -0600
- To: ietf-http-wg@w3.org
- CC: Julian Reschke <julian.reschke@gmx.de>, iesg@ietf.org, ietf-http-wg@w3.org, IETF-Discussion <ietf@ietf.org>
It seems like what would be useful would be a way of bringing in trusted
third-parties into authentication that didn't look like a
man-in-the-middle attack, and didn't rely on JavaScript.
SAML "federation" (e.g. Shibboleth) is layered on top of HTML+HTTP,
but it, and most of the other existing WebSSO systems, rely on
JavaScript tricks somewhere in their process.
Trusted third parties are presently more the domain of certificates or
Kerberos, than HTTP as such.
SASL is another framework for layering authentication onto protocols,
that's been worked on considerably. But I don't know if it can meet the
needs of the browser-based market now being served by
forms+cookies+JavaScript.
Finding a single authentication/authorization framework that serves the
needs of both browser and non-broswer clients is hard.
Scott Cantor has written a lot about why global logout for Shibboleth is
hard to implement. Part of that may rest on the underlying legacy
mechanisms they are using, but it's also a communication problem.
Having a local logout that really meant "stop sending cookies and
credentials for realm X to these servers" and/or authentication realms
that spanned servers might help, I don't know.
--
Albert Lunde albert-lunde@northwestern.edu
atlunde@panix.com (address for personal mail)
Received on Wednesday, 22 February 2012 16:32:53 UTC