W3C home > Mailing lists > Public > public-wsc-wg@w3.org > June 2007

RE: Basic Authentication - what do we have?

From: Doyle, Bill <wdoyle@mitre.org>
Date: Tue, 26 Jun 2007 09:56:31 -0400
Message-ID: <518C60F36D5DBC489E91563736BA4B5801815600@IMCSRV5.MITRE.ORG>
To: "Anil Saldhana" <Anil.Saldhana@redhat.com>, <yngve@opera.com>
Cc: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-wsc-wg@w3.org>

When used in conjunction with HTTPs, basic authentication is fine and
accepted. May even get medium robustness certification in the DoD when
used with FIPS 140-2 compliant TLS cipher, but I would have to check

NTLM, has known issues, didn't think it was used beyond Microsoft
platforms. Digests never really took hold and both were superseded by
Kerberos V5.

Bill D.

-----Original Message-----
From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Anil Saldhana
Sent: Monday, June 25, 2007 3:10 PM
To: yngve@opera.com
Cc: Mary Ellen Zurko; public-wsc-wg@w3.org
Subject: Re: Basic Authentication - what do we have?

I would not consider BASIC, DIGEST, NTLM as anywhere near secure.

Yngve Nysaeter Pettersen wrote:
> On Mon, 25 Jun 2007 15:17:29 +0200, Mary Ellen Zurko 
> <Mary_Ellen_Zurko@notesdev.ibm.com> wrote:
>> What do we have in our set of proposals that addresses trust
>> posed by Basic Authentication? The realm information (within the
>> dialog in the browser I use) is set by the web site. The browser I
>> puts the domain in the title bar. When I have the resolution on my 
>> display
>> cranked down to increase the size of everything (something I do more
>> more these days), the most pertinent part of the domain is truncated

>> from
>> the right hand side of the dialog's title display. I very much want
>> know that the domain ends in "ibm.com" when I think I'm typing in my
>> password. What, if anything, do we have in our proposals that
>> this?
> I don't recall having seen anything about this, at least major 
> discussion.
> I think a discussion of this should not be limited to Basic, but 
> should include the other methods, such as Digest and NTLM/Negotiate, 
> as well.
> Opera displays the servername as a field inside the dialog, as well
> the realm, which is presented as a message from the server.
> We are currently considering what we display in this dialog and how
> is displayed, from both a usability and a security point of view.
> Parts of what is being considered are:
>  - How to present the security of the credential transmission
>  - How to present the identity (at least the hostname) of who is 
> asking for the credentials in a usable manner. This is a problem that

> is not restricted to authentication, but extends to such areas as the

> display of the URL in address bar and determining if two servers are 
> allowed to share cookies. See references below for some discussion
> background on that.
>  http://my.opera.com/yngve/blog/show.dml/267415
>  http://wiki.mozilla.org/Gecko:Effective_TLD_Service

Anil Saldhana
Project/Technical Lead,
JBoss Security & Identity Management
JBoss, A division of Red Hat Inc.
Received on Tuesday, 26 June 2007 13:56:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:16 UTC