- From: Henrik Nordström <henrik@henriknordstrom.net>
- Date: Wed, 29 Feb 2012 21:11:00 +0100
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, IETF-Discussion <ietf@ietf.org>, "Roy T. Fielding" <fielding@gbiv.com>, Paul Hoffman <paul.hoffman@vpnc.org>, Mark Nottingham <mnot@mnot.net>, Tim Bray <tbray@textuality.com>, The IESG <iesg@ietf.org>, ietf-http-wg@w3.org
lör 2012-02-25 klockan 19:23 +0100 skrev Julian Reschke: > Well, I'm one of the editors of the authentication framework spec, so if > there's something wrong with it, I'd like to know. Only the thing said earluer - Define how servers may influence the visible appearance of the login action - Perhaps some way of triggering a logout. > So if we collectively think that the framework probably is ok, and that > we *do* need a new authentication scheme, what's stopping us to start > that activity *right now*? Nothing. A cleaned up http digest with less fancy bells no one implements correctly and stronger methods would do nicely at improving the raw security side of things. But at the same time it alone does solve the reasons why HTTP Digest is not widely used today which is or any of the newer use cases with auth delegation via trusted third parties. A very interesting thought is to look into how for example Kerberos could be implemented as a first class HTTP Auth citizen without violating HTTP messaging semantics. Is there anything needed at the framework side for making that work right? Regards Henrik
Received on Wednesday, 29 February 2012 20:11:36 UTC