W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

From: Albert Lunde <atlunde@panix.com>
Date: Wed, 22 Feb 2012 10:32:19 -0600
Message-ID: <4F451893.8000205@panix.com>
To: ietf-http-wg@w3.org
CC: Julian Reschke <julian.reschke@gmx.de>, iesg@ietf.org, ietf-http-wg@w3.org, IETF-Discussion <ietf@ietf.org>
It seems like what would be useful would be a way of bringing in trusted 
third-parties into authentication that didn't look like a 
man-in-the-middle attack, and didn't rely on JavaScript.

SAML "federation" (e.g. Shibboleth) is layered on top of HTML+HTTP,
but it, and most of the other existing WebSSO systems, rely on 
JavaScript tricks somewhere in their process.

Trusted third parties are presently more the domain of certificates or 
Kerberos, than HTTP as such.

SASL is another framework for layering authentication onto protocols, 
that's been worked on considerably. But I don't know if it can meet the 
needs of the browser-based market now being served by 
forms+cookies+JavaScript.

Finding a single authentication/authorization framework that serves the 
needs of both browser and non-broswer clients is hard.

Scott Cantor has written a lot about why global logout for Shibboleth is 
hard to implement. Part of that may rest on the underlying legacy 
mechanisms they are using, but it's also a communication problem.

Having a local logout that really meant "stop sending cookies and 
credentials for realm X to these servers" and/or authentication realms 
that spanned servers might help, I don't know.

-- 
     Albert Lunde  albert-lunde@northwestern.edu
                   atlunde@panix.com  (address for personal mail)
Received on Wednesday, 22 February 2012 16:32:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT