Re: [XHR] open method extension for TLS authentication

Tim,

Probably worth noting that HTTP+TLS with client side certificates 
already works over XHR, when the request for a cert comes in the 
browsers handle it in the usual way.

That said, this would be /very/ useful, in fact we were just discussing 
this today, where I too mentioned TLS and SRP together with other forms 
of authentication, and that moving to TLS Extension support would 
probably be wise in the long term.

see: http://krijnhoetmer.nl/irc-logs/whatwg/20110203#l-870
  through to 14:51 for context

Thanks for raising this,

Nathan

Tim wrote:
> Anne, others,
> 
> Do you have any opinions on this?
> 
> There have recently been some good discussions around HTTP
> authentication on IETF mailing lists, and I think having some
> flexibility here would be useful in the long run.
> 
> tim
> 
> 
> 
> On Thu, Jan 06, 2011 at 08:50:00AM -0800, Tim wrote:
>> Hello,
>>
>> It occurred to me recently that the way in which the current draft
>> XMLHttpRequest standard is written could be extended to allow for
>> other forms of authentication at lower layers.  In particular, it
>> should be possible to allow for the use of pre-shared key
>> authentication (RFC 4279) or for SRP/TLS based on the credentials
>> provided in the open() method.  For password-based systems in TLS,
>> it should be a simple matter to just *allow* for such behavior, but
>> not necessarily define it in detail.
>>
>> However, it does sort of open the door for more complex authentication
>> schemes at lower layers, including certificate authentication and the
>> like.  Perhaps optional parameters of some sort would be needed to
>> support this.
>>
>> What do you think?
>> tim
> 
> 
> 

Received on Thursday, 3 February 2011 19:05:01 UTC