- From: Yutaka OIWA <y.oiwa@aist.go.jp>
- Date: Sat, 14 Jul 2012 00:01:35 +0900
- To: Daniel Stenberg <daniel@haxx.se>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>, libcurl hacking <curl-library@cool.haxx.se>
Dear Daniel,
2012/7/13 Daniel Stenberg <daniel@haxx.se>:
> HTTP AUTH
>
> curl currently supports Basic, Digest, NTLM and Negotiate for both host and
> proxy.
>
> Similar to the HTTP protocol, we intend to support any widely adopted
> authentication protocols. The HOBA, SCRAM and Mutual auth suggestions all
> seem perfectly doable and fine in my perspective.
Great, too.
> However, if there's no proper logout mechanism provided for HTTP auth I
> don't forsee any particular desire from browser vendor or web site creators
> to use any of these just like they don't use the older ones either to any
> significant extent. And for automatic (non-browser) uses only, I'm not sure
> there's motivation enough to add new auth protocols to HTTP as at least
> historically we seem to rarely be able to pull anything through that isn't
> pushed for by at least one of the major browsers.
I agree that lack of logon control features is one of critical issues
for deploying http authentication to World Wide Web systems.
In my set of proposals, the problem is addressed in the
separate draft called draft-oiwa-httpbis-auth-extension-00.
It may be not directly related to your project, but if you have any
feedback or a comment about the protocol design of that draft,
it will be greatly appreciated.
Regards,
Yutaka
--
Yutaka OIWA, Ph.D. Leader, Software Reliability Research Group
Research Institute for Secure Systems (RISEC)
National Institute of Advanced Industrial Science and Technology (AIST)
Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
Received on Friday, 13 July 2012 15:02:28 UTC