W3C home > Mailing lists > Public > public-web-security@w3.org > December 2013

Fixing HTTPAuth and native SRP on the Web

From: Harry Halpin <hhalpin@w3.org>
Date: Tue, 17 Dec 2013 23:26:29 +0100
Message-ID: <52B0CF95.2000506@w3.org>
To: "public-web-security@w3.org" <public-web-security@w3.org>
The IETF has a working group charter they are working on in this space, 
but W3C help could probably be used in terms of assuring implementation.

As for myself, while I realize that a browser chrome-based login or 
standardized pop-up ala HTTPAuth will likely never be used by most 
sites, something like that for high-security sites should work (and of 
course, w3.org!).

On the protocol level, I really prefer just good old-fashioned SRP 
(Secure Remote Password) simply because that is what I've used in past 
implementation work, but I understand the field has moved on a bit. Can 
anyone provide a brief summary of what is state of the art in Auth 
beyond SRP [1]?

  cheers,
      harry

[1] http://srp.stanford.edu/
Received on Tuesday, 17 December 2013 22:26:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:20 UTC