W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Discussion of Mandatory TLS in HTTP/2.0

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Thu, 19 Jul 2012 15:47:06 +0100
Message-ID: <50081DEA.8000409@cs.tcd.ie>
To: Ross Nicoll <jrn@jrn.me.uk>
CC: Poul-Henning Kamp <phk@phk.freebsd.dk>, Phillip Hallam-Baker <hallam@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>


On 07/19/2012 03:41 PM, Ross Nicoll wrote:
> I'm guessing the idea would be to write an HTTP authentication protocol
> that uses public-key pairs, so a user can confirm they have a secret
> piece of information (the private key) 

Fine idea:-) [1]

> without having to actually share
> it to do so, or by using a smaller number of authentication providers
> (for example Twitter, Facebook, Google) so they handle the password, and
> the site only gets confirmation from a trusted source that you are who
> you say you are.

But [1] is just one of the proposed new auth schemes [2] some
of which are more like you last bit above.

S.

[1] http://tools.ietf.org/html/draft-farrell-httpbis-hoba
[2] http://trac.tools.ietf.org/wg/httpbis/trac/wiki/HttpAuthProposals

> 
> 
> On 19/07/2012 15:32, Poul-Henning Kamp wrote:
>> In message
>> <CAMm+LwjSOYkJQPayq1btXR5iXLNqBOdgQvsQMAAwhuZSNqQCXw@mail.gmail.com>
>> , Phillip Hallam-Baker writes:
>>
>>> My biggest Web security concern is not the risk of passwords being
>>> intercepted on the wire, its the fact that users have no practical
>>> alternative to using the same password for the 100+ sites they use
>>> that demand one.
>> I have a hard time seeing how that can be solved at the HTTP protocol
>> level ?
>>
> 
> 
> 
> 
Received on Thursday, 19 July 2012 14:47:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 14:47:58 GMT