- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Tue, 19 Jun 2007 15:42:25 +0200
- To: Robert Sayre <rsayre@mozilla.com>
- Cc: ietf-http-wg@w3.org
- Message-Id: <1182260545.31612.57.camel@henriknordstrom.net>
tis 2007-06-19 klockan 01:14 +0000 skrev Robert Sayre: > I don't think it's worth implementing something like that for Basic or > Digest, given the known weaknesses they have. To make this effective, > the UI will still need to be "chrome" (trusted UI from the browser), but > allow some presentation control as well. Personally, I'm not comfortable > giving users security cues of that sort with the existing schemes, so I > think an authentication scheme that satisfies most of the requirements > in the Hartman draft is a prerequisite. Kerberos Negotiate also has the same presentation problem. It's a generic UI problem quite independent from the actual authentication scheme, but needing to support multiple schemes. And as you say figuring out the right level of control requires a bit of research. If this is not started until there is a strong authentication scheme available it will take even longer, and additionally considerably less people will be interested in seeing the task of finding a better authentication scheme to move forward. The current set of at least 4 schemes (Basic, Digest, NTLM, Negotiate) is more than sufficient as a test bed to figure out the correct UI requirements, including the ability to inform the user about the technical strength of each.. so even without a stronger authentication scheme being available right now there is a lot to benefit. Regards Henrik
Received on Tuesday, 19 June 2007 13:42:39 UTC