W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

From: Willy Tarreau <w@1wt.eu>
Date: Fri, 24 Feb 2012 08:25:03 +0100
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, The IESG <iesg@ietf.org>, IETF-Discussion Discussion <ietf@ietf.org>, ietf-http-wg@w3.org
Message-ID: <20120224072503.GH1306@1wt.eu>
On Thu, Feb 23, 2012 at 05:23:45PM -0800, Paul Hoffman wrote:
> If only it were that simple. If the answer is "design an HTTP auth mechanism
> that is better than Digest", then this is a tractable goal. If it is "get
> IETF consensus on that auth mechanism", then it isn't. The latter has proven
> to be impossible because people say (possibly rightly) that web developers
> don't want auth mechanisms that use the browser chrome: they want auth in
> HTML, and anything that relies on the browser chrome is insufficient.

Maybe but you still need HTTP-based auth for proxies anyway. Also, I
partially disagree with your point, seeing the number of applications
in enterprise which rely on the hated NTLM auth which is also HTTP-based ;
they're using it because it's transparent to the user, and enterprise
customers do ask for such transparent auth schemes.

There would also be much less need for cookies if auth was carried by the
browser, and this would let the user log off. So I think there's a need
for this.

Regards,
Willy
Received on Friday, 24 February 2012 07:25:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT