W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Discussion of Mandatory TLS in HTTP/2.0

From: Ross Nicoll <jrn@jrn.me.uk>
Date: Thu, 19 Jul 2012 15:41:15 +0100
Message-ID: <50081C8B.4010006@jrn.me.uk>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
CC: Phillip Hallam-Baker <hallam@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
I'm guessing the idea would be to write an HTTP authentication protocol 
that uses public-key pairs, so a user can confirm they have a secret 
piece of information (the private key) without having to actually share 
it to do so, or by using a smaller number of authentication providers 
(for example Twitter, Facebook, Google) so they handle the password, and 
the site only gets confirmation from a trusted source that you are who 
you say you are.


On 19/07/2012 15:32, Poul-Henning Kamp wrote:
> In message <CAMm+LwjSOYkJQPayq1btXR5iXLNqBOdgQvsQMAAwhuZSNqQCXw@mail.gmail.com>
> , Phillip Hallam-Baker writes:
>
>> My biggest Web security concern is not the risk of passwords being
>> intercepted on the wire, its the fact that users have no practical
>> alternative to using the same password for the 100+ sites they use
>> that demand one.
> I have a hard time seeing how that can be solved at the HTTP protocol
> level ?
>
Received on Thursday, 19 July 2012 14:41:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 14:41:51 GMT