- From: Amir Herzberg <herzbea@macs.biu.ac.il>
- Date: Tue, 22 Aug 2006 17:26:02 +0300
- To: "Linn, John" <jlinn@rsasecurity.com>
- CC: Thomas Roessler <tlr@w3.org>, public-usable-authentication@w3.org
Linn, John wrote: > Re the "Form Annotations for HTTP Authentication" draft charter, would > there be interest in generalizing the scope so as also to encompass > structural and tagging facilities for authentication-related information > sent in the reverse direction, from UAs to servers? This may not be > necessary for a usage mode where a server-UA request triggers the UA to > initiate a protocol-level HTTP authentication transaction (and where > that protocol would likely have its own means to represent parameters), > but could serve to discriminate among different protected (e.g., hashed > and/or encrypted) credential representations that UAs could transfer > within POSTs and to carry their associated parameters. As such, this > could provide a useful vehicle to incorporate enhanced capabilities > within the common POST-based paradigm. > Sorry for my late response (having been away)... but I haven't seen a response to John's comment/suggestion above - and would like to second it. Furthermore, I would like to propose that we also consider form annotations for authentication of the page contents (from server to client). Inclusion of a digital signature on the page contents could be very effective for several goals, and sometimes preferable to the usage of SSL/TLS, for performance but also for other considerations. Yes, this is `the return of the SHTTP`, if you like - I believe, the time is now right, and we also have the tools now (XML DSIG etc.) to make this a very reasonable effort. Best, Amir > --jl > > -----Original Message----- > From: public-usable-authentication-request@w3.org > [mailto:public-usable-authentication-request@w3.org] On Behalf Of Thomas > Roessler > Sent: Monday, August 07, 2006 12:39 PM > To: public-usable-authentication@w3.org > Subject: Updated charters, with tentative time line > > > Hello, > > I've taken another stab at the scope and deliverable sections > of the charter drafts, and added tentative time lines to these. > > http://www.w3.org/2005/Security/wsc-charter > http://www.w3.org/2005/Security/htmlauth-charter > > For the security context information baseline group, I've tried > to introduce a clearer partition between the question what to > display (and how to do it nicely), and techniques to make that > kind of display more robust against spoofing. (Thanks to Jeff > Nelson (Google) for his suggestions.) > > The form annotations project has seen some general clean-up. > > The time line (identical for both groups at this point) is > essentially the usual 3-month heartbeat requirement for public > working drafts, with two public WDs before last call. A call > for participation is assumed to go out in October, and an > initial face-to-face meeting (for both groups; hopefully, we > can find a way to co-locate these) is assumed for the week of > 13 November. > > > Caveat emptor: Please note that, at this > point, these dates are working hypotheses! > > > Comments would, as always, be useful, >
Received on Tuesday, 22 August 2006 14:28:35 UTC