W3C home > Mailing lists > Public > public-identity@w3.org > June 2011

Re: [saag] [websec] [http-auth] re-call for IETF http-auth BoF

From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Tue, 14 Jun 2011 16:59:54 +1200
To: hallam@gmail.com, julian.reschke@gmx.de
Cc: http-auth@ietf.org, public-identity@w3.org, saag@ietf.org, websec@ietf.org
Message-Id: <E1QWLjG-0007nd-EG@login01.fos.auckland.ac.nz>
Phillip Hallam-Baker <hallam@gmail.com> writes:

>what would we want HTTP authentication to look like?

I have a suggestion for what it shouldn't look like: Any method that hands 
over the password (or a password-equivalent like a password in hashed form) as 
current browsers do should be banned outright, and anyone who implements 
hand-over-the-password should killed and eaten to prevent them from passing on 
the genes.

The only permitted auth.form should be a dynamic, cryptographic mutual auth. 
that authenticates both the client and the server.  There are endless designs 
for this sort of thing around so the precise form isn't too important, as long 
as it's not hand-over-the-password.

Peter.
Received on Tuesday, 14 June 2011 06:29:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 14 June 2011 06:29:21 GMT