W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

From: Henrik Nordström <henrik@henriknordstrom.net>
Date: Wed, 29 Feb 2012 21:11:00 +0100
Message-ID: <1330546260.24673.37.camel@home.hno.se>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, IETF-Discussion <ietf@ietf.org>, "Roy T. Fielding" <fielding@gbiv.com>, Paul Hoffman <paul.hoffman@vpnc.org>, Mark Nottingham <mnot@mnot.net>, Tim Bray <tbray@textuality.com>, The IESG <iesg@ietf.org>, ietf-http-wg@w3.org
lör 2012-02-25 klockan 19:23 +0100 skrev Julian Reschke:
> Well, I'm one of the editors of the authentication framework spec, so if 
> there's something wrong with it, I'd like to know.

Only the thing said earluer

- Define how servers may influence the visible appearance of the login
action

- Perhaps some way of triggering a logout.

> So if we collectively think that the framework probably is ok, and that 
> we *do* need a new authentication scheme, what's stopping us to start 
> that activity *right now*?

Nothing.

A cleaned up http digest with less fancy bells no one implements
correctly and stronger methods would do nicely at improving the raw
security side of things.

But at the same time it alone does solve the reasons why HTTP Digest is
not widely used today which is or any of the newer use cases with auth
delegation via trusted third parties.

A very interesting thought is to look into how for example Kerberos
could be implemented as a first class HTTP Auth citizen without
violating HTTP messaging semantics. Is there anything needed at the
framework side for making that work right?

Regards
Henrik
Received on Wednesday, 29 February 2012 20:11:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT