RE: Basic Authentication - what do we have?

This is server side or application processing, is this out?

Recommendation

HTTP Basic Authentication - Basic Authentication passes credentials (ID
/PW) in the HTTP header in clear text. This form of authentication
requires additional security services to be considered secure. Options
to secure HTTP basic authentication include HTTPs (SSL / TLS) and use
of VPN technology.

Bill
wdoyle@mitre.org




-----Original Message-----
From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Yngve Nysaeter
Pettersen
Sent: Monday, June 25, 2007 10:55 AM
To: Mary Ellen Zurko; public-wsc-wg@w3.org
Subject: Re: Basic Authentication - what do we have?


On Mon, 25 Jun 2007 15:17:29 +0200, Mary Ellen Zurko  
<Mary_Ellen_Zurko@notesdev.ibm.com> wrote:

> What do we have in our set of proposals that addresses trust
decisions
> posed by Basic Authentication? The realm information (within the
modal
> dialog in the browser I use) is set by the web site. The browser I
use
> puts the domain in the title bar. When I have the resolution on my  
> display
> cranked down to increase the size of everything (something I do more
and
> more these days), the most pertinent part of the domain is truncated
from
> the right hand side of the dialog's title display. I very much want
to
> know that the domain ends in "ibm.com" when I think I'm typing in my
IBM
> password. What, if anything, do we have in our proposals that
addresses
> this?

I don't recall having seen anything about this, at least major
discussion.

I think a discussion of this should not be limited to Basic, but should

include the other methods, such as Digest and NTLM/Negotiate, as well.

Opera displays the servername as a field inside the dialog, as well as
the  
realm, which is presented as a message from the server.

We are currently considering what we display in this dialog and how it
is  
displayed, from both a usability and a security point of view.

Parts of what is being considered are:

  - How to present the security of the credential transmission

  - How to present the identity (at least the hostname) of who is
asking  
for the credentials in a usable manner. This is a problem that is not  
restricted to authentication, but extends to such areas as the display
of  
the URL in address bar and determining if two servers are allowed to
share  
cookies. See references below for some discussion and background on
that.


  http://my.opera.com/yngve/blog/show.dml/267415
 
http://weblogs.mozillazine.org/gerv/archives/2007/01/effective_tld_list
_help_wanted.html
  http://wiki.mozilla.org/Gecko:Effective_TLD_Service



-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		                 Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

Received on Monday, 25 June 2007 16:49:13 UTC