- From: Albert Lunde <atlunde@panix.com>
- Date: Wed, 22 Feb 2012 10:32:19 -0600
- To: ietf-http-wg@w3.org
- CC: Julian Reschke <julian.reschke@gmx.de>, iesg@ietf.org, ietf-http-wg@w3.org, IETF-Discussion <ietf@ietf.org>
It seems like what would be useful would be a way of bringing in trusted third-parties into authentication that didn't look like a man-in-the-middle attack, and didn't rely on JavaScript. SAML "federation" (e.g. Shibboleth) is layered on top of HTML+HTTP, but it, and most of the other existing WebSSO systems, rely on JavaScript tricks somewhere in their process. Trusted third parties are presently more the domain of certificates or Kerberos, than HTTP as such. SASL is another framework for layering authentication onto protocols, that's been worked on considerably. But I don't know if it can meet the needs of the browser-based market now being served by forms+cookies+JavaScript. Finding a single authentication/authorization framework that serves the needs of both browser and non-broswer clients is hard. Scott Cantor has written a lot about why global logout for Shibboleth is hard to implement. Part of that may rest on the underlying legacy mechanisms they are using, but it's also a communication problem. Having a local logout that really meant "stop sending cookies and credentials for realm X to these servers" and/or authentication realms that spanned servers might help, I don't know. -- Albert Lunde albert-lunde@northwestern.edu atlunde@panix.com (address for personal mail)
Received on Wednesday, 22 February 2012 16:32:53 UTC