- From: Tim <tim-projects@sentinelchicken.org>
- Date: Wed, 13 Jan 2010 08:43:58 -0800
- To: Robert Sayre <sayrer@gmail.com>
- Cc: ietf-http-wg@w3.org
Hello Robert, > > I appologize in advance if this is not an appropriate place to ask > > this question. > > Feel free to ask questions, but this group is not chartered to add > features to HTTP authentication schemes. The charter is here: > > <http://www.ietf.org/dyn/wg/charter/httpbis-charter.html> Yes, I understand. Sorry if you feel I've hijacked the list. Just couldn't find a better place to ask questions or solicit discussion. I merely wanted to make sure my understanding of issues was firm before proposing changes to the security community. I hope to follow up with an RFC draft if it makes sense in the future. > That would address one shortcoming of those schemes, but they both > have more fundamental problems. See > > <http://tools.ietf.org/html/draft-ietf-httpbis-security-properties-03#section-2.2> Yes, of course these cannot be considered secure on their own. However, for various reasons not mentioned in that document, I consider form+cookie authentication much worse than say, the HTTP digest scheme. (I will back this up with some arguments in the paper I mentioned I'm working on.) All would require something like TLS to be truly safe, but I think a better way forward (than continued reliance on cookies) is to make HTTP authentication viable again to allow for more better designed, standardized, authenticaiton protocols. Regards, tim
Received on Wednesday, 13 January 2010 16:44:29 UTC