Re: [saag] [apps-discuss] [websec] [kitten] HTTP authentication: the next generation

--On Friday, December 17, 2010 6:18 PM +1300 Peter Gutmann
<> wrote:

> John C Klensin <> writes:
>> We could round up a collection of UI experts to look at some
>> of these things  and have them shake their heads and say
>> "royal mess you have gotten yourselves  into".
> The problem isn't that UI experts haven't looked at this,
> there have been a  large number of papers published on this
> problem over the last decade or so,  it's that it's proven
> pretty much impossible to get any action taken over it.  The
> browser approach is "PKI isn't working, so we'll respond with
> even more  PKI (EV certs) while stridently ignoring any
> workable alternatives (TLS-SRP  and -PSK)", and there's no
> sign that this will ever change.  There simply isn't a hammer
> big enough to force a change here (or, if there is, no-one's
> managed  to identify it yet).

I perhaps should have said "...yet another collection of UI
experts..." and "shake their heads again...".

But I don't think we disagree: from my point of view, you are
just describing some aspects of what I tried to summarize as
"royal mess".   I do think there is at least one big enough
hammer although I'm not predicting we will get there soon and
really don't like seeing protocols designed by a sequence of
disaster, legal action, and legislation.  And, I am not, for the
record, offering an opinion as to whether the approaches you
suggest are workable and/or the right answers.


Received on Friday, 17 December 2010 11:11:50 UTC