- From: Willy Tarreau <w@1wt.eu>
- Date: Fri, 24 Feb 2012 08:25:03 +0100
- To: Paul Hoffman <paul.hoffman@vpnc.org>
- Cc: "Roy T. Fielding" <fielding@gbiv.com>, The IESG <iesg@ietf.org>, IETF-Discussion Discussion <ietf@ietf.org>, ietf-http-wg@w3.org
On Thu, Feb 23, 2012 at 05:23:45PM -0800, Paul Hoffman wrote: > If only it were that simple. If the answer is "design an HTTP auth mechanism > that is better than Digest", then this is a tractable goal. If it is "get > IETF consensus on that auth mechanism", then it isn't. The latter has proven > to be impossible because people say (possibly rightly) that web developers > don't want auth mechanisms that use the browser chrome: they want auth in > HTML, and anything that relies on the browser chrome is insufficient. Maybe but you still need HTTP-based auth for proxies anyway. Also, I partially disagree with your point, seeing the number of applications in enterprise which rely on the hated NTLM auth which is also HTTP-based ; they're using it because it's transparent to the user, and enterprise customers do ask for such transparent auth schemes. There would also be much less need for cookies if auth was carried by the browser, and this would let the user log off. So I think there's a need for this. Regards, Willy
Received on Friday, 24 February 2012 07:25:45 UTC