RE: Basic Authentication - what do we have? from Mary Ellen Zurko on 2007-06-27 (public-wsc-wg@w3.org from June 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 27 Jun 2007 17:26:09 -0400
To: dan.schutzer@fstc.org
Cc: public-wsc-wg@w3.org
Message-ID: <OF11C7BBB4.7791CF2D-ON85257307.0075B40A-85257307.0075C027@LocalDomain>
How would it be available to me as SCI when I put in the password?

          Mez





"Dan Schutzer" <dan.schutzer@fstc.org> 
Sent by: public-wsc-wg-request@w3.org
06/27/2007 05:17 PM

To
"'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, "'Doyle, Bill'" 
<wdoyle@mitre.org>
cc
<public-wsc-wg@w3.org>
Subject
RE: Basic Authentication - what do we have?






SBM has the site provide a signed digital hash of the url, IP address ? 
that will certainly nail the identity of the site you are asking for
 

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] 
On Behalf Of Mary Ellen Zurko
Sent: Wednesday, June 27, 2007 5:12 PM
To: Doyle, Bill
Cc: public-wsc-wg@w3.org
Subject: RE: Basic Authentication - what do we have?
 

I'm getting the feeling I didn't make the issue I was grappling with 
clear. It's the Identity issue, not the Protocol Protection issue. 

I'm in a modal dialog asking me for a password. How do I know the identity 
of the site asking me? Particularly when the bits of the URL I care about 
are truncated off the right hand side of the title bar? (though I don't 
think a typical user should be expected to parse URLs for identity 
information).

Where in our proposals do we address that? 

          Mez




"Doyle, Bill" <wdoyle@mitre.org> 
06/26/2007 09:56 AM


To
"Anil Saldhana" <Anil.Saldhana@redhat.com>, <yngve@opera.com>
cc
"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, 
<public-wsc-wg@w3.org>
Subject
RE: Basic Authentication - what do we have?
 


 
 




When used in conjunction with HTTPs, basic authentication is fine and
accepted. May even get medium robustness certification in the DoD when
used with FIPS 140-2 compliant TLS cipher, but I would have to check
that.

NTLM, has known issues, didn't think it was used beyond Microsoft
platforms. Digests never really took hold and both were superseded by
Kerberos V5.

Bill D.


-----Original Message-----
From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Anil Saldhana
Sent: Monday, June 25, 2007 3:10 PM
To: yngve@opera.com
Cc: Mary Ellen Zurko; public-wsc-wg@w3.org
Subject: Re: Basic Authentication - what do we have?


I would not consider BASIC, DIGEST, NTLM as anywhere near secure.

Yngve Nysaeter Pettersen wrote:
>
> On Mon, 25 Jun 2007 15:17:29 +0200, Mary Ellen Zurko 
> <Mary_Ellen_Zurko@notesdev.ibm.com> wrote:
>
>> What do we have in our set of proposals that addresses trust
decisions
>> posed by Basic Authentication? The realm information (within the
modal
>> dialog in the browser I use) is set by the web site. The browser I
use
>> puts the domain in the title bar. When I have the resolution on my 
>> display
>> cranked down to increase the size of everything (something I do more
and
>> more these days), the most pertinent part of the domain is truncated

>> from
>> the right hand side of the dialog's title display. I very much want
to
>> know that the domain ends in "ibm.com" when I think I'm typing in my
IBM
>> password. What, if anything, do we have in our proposals that
addresses
>> this?
>
> I don't recall having seen anything about this, at least major 
> discussion.
>
> I think a discussion of this should not be limited to Basic, but 
> should include the other methods, such as Digest and NTLM/Negotiate, 
> as well.
>
> Opera displays the servername as a field inside the dialog, as well
as 
> the realm, which is presented as a message from the server.
>
> We are currently considering what we display in this dialog and how
it 
> is displayed, from both a usability and a security point of view.
>
> Parts of what is being considered are:
>
>  - How to present the security of the credential transmission
>
>  - How to present the identity (at least the hostname) of who is 
> asking for the credentials in a usable manner. This is a problem that

> is not restricted to authentication, but extends to such areas as the

> display of the URL in address bar and determining if two servers are 
> allowed to share cookies. See references below for some discussion
and 
> background on that.
>
>
>  http://my.opera.com/yngve/blog/show.dml/267415
>
http://weblogs.mozillazine.org/gerv/archives/2007/01/effective_tld_list
_help_wanted.html 
>
>  http://wiki.mozilla.org/Gecko:Effective_TLD_Service
>
>
>

-- 
Anil Saldhana
Project/Technical Lead,
JBoss Security & Identity Management
JBoss, A division of Red Hat Inc.
http://labs.jboss.com/portal/jbosssecurity/
Received on Wednesday, 27 June 2007 21:26:21 UTC