- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 19 Jun 2007 10:40:48 +0200
- To: Robert Sayre <rsayre@mozilla.com>
- CC: ietf-http-wg@w3.org
Robert Sayre wrote: > Henrik Nordstrom wrote: >> Yes, and is what has been proposed several times, in several threads on >> the topic.. but no detailed proposal written down yet. >> >> I would very much welcome a proposal from some browser vendor on this. >> It's mainly browser technology which needs updates to adopt a feature >> like this, on the server side it's most often just reconfiguration or at >> worst trivial changes depending on the fine details of the proposed >> extension and nature of the server implementation of 401 responses. > > I don't think it's worth implementing something like that for Basic or > Digest, given the known weaknesses they have. To make this effective, > the UI will still need to be "chrome" (trusted UI from the browser), but > allow some presentation control as well. Personally, I'm not comfortable > giving users security cues of that sort with the existing schemes, so I > think an authentication scheme that satisfies most of the requirements > in the Hartman draft is a prerequisite. > > The technical details of the 401 response won't be too difficult, but > figuring out the right level of presentation control for site authors > will probably require a good deal of research and experimentation. I do agree with the latter, and therefore I disagree with you said before. Trying to do everything at the same time may lead that nothing at all is done in the end. Thus starting the experiments around enhancing browser with respect to 401 and login forms should start as soon as possible. Best regards, Julian
Received on Tuesday, 19 June 2007 08:41:11 UTC