- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 13 Feb 2008 19:59:02 +0000 (UTC)
- To: John Panzer <jpanzer@acm.org>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
We need a terminology section that defines these terms so we can use them
in these conversations.
party A: original server
party B: third-party server, service provider
party U: user, client, user agent, browser
U visits A, which returns a page that then attempts to communicate with B.
On Wed, 13 Feb 2008, John Panzer wrote:
>
> What mechanism do you propose clients and servers implement use to
> authenticate users for CSR requests?
HTTP Authentication and/or cookies, like they do now. If the user isn't
logged in, the third-party server would return an error to the client, and
the page from the original server would then redirect the user to the
third-party server (the service provider) to get them to log in.
> Because servers have to implement _something_. Realistic mechanisms
> have to be resistant to distributed brute force attacks even without
> AC4CSR (thank you, Storm Worm). On a side note, I hope that servers
> opting in to CSR would never consider using username/password auth on
> each request. Since it is possible to implement username/password auth
> in ways opaque to browsers ("&u=foo&pass=bar"), perhaps this is worth a
> note in the security section.
The original server shouldn't ever have access to the _user's_
credentials, certainly.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 13 February 2008 19:59:12 UTC