- From: Nathan <nathan@webr3.org>
- Date: Thu, 03 Feb 2011 19:03:55 +0000
- To: Tim <tim-research@sentinelchicken.org>
- CC: public-webapps@w3.org
Tim, Probably worth noting that HTTP+TLS with client side certificates already works over XHR, when the request for a cert comes in the browsers handle it in the usual way. That said, this would be /very/ useful, in fact we were just discussing this today, where I too mentioned TLS and SRP together with other forms of authentication, and that moving to TLS Extension support would probably be wise in the long term. see: http://krijnhoetmer.nl/irc-logs/whatwg/20110203#l-870 through to 14:51 for context Thanks for raising this, Nathan Tim wrote: > Anne, others, > > Do you have any opinions on this? > > There have recently been some good discussions around HTTP > authentication on IETF mailing lists, and I think having some > flexibility here would be useful in the long run. > > tim > > > > On Thu, Jan 06, 2011 at 08:50:00AM -0800, Tim wrote: >> Hello, >> >> It occurred to me recently that the way in which the current draft >> XMLHttpRequest standard is written could be extended to allow for >> other forms of authentication at lower layers. In particular, it >> should be possible to allow for the use of pre-shared key >> authentication (RFC 4279) or for SRP/TLS based on the credentials >> provided in the open() method. For password-based systems in TLS, >> it should be a simple matter to just *allow* for such behavior, but >> not necessarily define it in detail. >> >> However, it does sort of open the door for more complex authentication >> schemes at lower layers, including certificate authentication and the >> like. Perhaps optional parameters of some sort would be needed to >> support this. >> >> What do you think? >> tim > > >
Received on Thursday, 3 February 2011 19:05:01 UTC