[Bug 11912] HTML5 provides an opportunity to fix a long-running problem with HTTP Authentication. HTTP Authentication is important, because it is the only way to execute a request with 100% certainty that the user has provided an authentication secret. Furthermore, from bugzilla@jessica.w3.org on 2011-01-28 (public-html-bugzilla@w3.org from January 2011)

From: <bugzilla@jessica.w3.org>
Date: Fri, 28 Jan 2011 21:17:47 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1PivhT-0000pK-NR@jessica.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=11912

Aryeh Gregor <Simetrical+w3cbug@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |Simetrical+w3cbug@gmail.com

--- Comment #1 from Aryeh Gregor <Simetrical+w3cbug@gmail.com> 2011-01-28 21:17:46 UTC ---
(In reply to comment #0)
> Specification: http://www.w3.org/TR/html5/
> Section: http://www.whatwg.org/specs/web-apps/current-work/#top
> 
> Comment:
> HTML5 provides an opportunity to fix a long-running problem with HTTP
> Authentication.  HTTP Authentication is important, because it is the only way
> to execute a request with 100% certainty that the user has provided an
> authentication secret.

How is it more certain than with cookies?

> Furthermore, because the secret is transmitted with
> each request, it can be passed on to other authenticated services on the
> server-side.

How is the same not true of cookies?

> HTTP Authentication is often regarded as a dinosaur, but in conjunction with
> SSL, it is vastly more secure and more useful than any other authentication
> mechanism used by web sites and web applications.

How so?

> When used properly, it can
> improve security across all backend services by using credential forwarding
> instead of, for example, storing database credentials on the server where they
> could be recovered and abused by a malicious person.

How is it that you can avoid storing some form of credentials on the server?

Basically, why exactly is HTTP auth worth using instead of cookies?  You've
repeatedly stated that it is, but didn't provide reasoning to support your
statements.  Maybe this is all common knowledge in some circles, but your case
would be a lot stronger if you state it explicitly.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Friday, 28 January 2011 21:17:49 UTC