- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Wed, 27 Jun 2007 17:26:09 -0400
- To: dan.schutzer@fstc.org
- Cc: public-wsc-wg@w3.org
- Message-ID: <OF11C7BBB4.7791CF2D-ON85257307.0075B40A-85257307.0075C027@LocalDomain>
How would it be available to me as SCI when I put in the password? Mez "Dan Schutzer" <dan.schutzer@fstc.org> Sent by: public-wsc-wg-request@w3.org 06/27/2007 05:17 PM To "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, "'Doyle, Bill'" <wdoyle@mitre.org> cc <public-wsc-wg@w3.org> Subject RE: Basic Authentication - what do we have? SBM has the site provide a signed digital hash of the url, IP address ? that will certainly nail the identity of the site you are asking for From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko Sent: Wednesday, June 27, 2007 5:12 PM To: Doyle, Bill Cc: public-wsc-wg@w3.org Subject: RE: Basic Authentication - what do we have? I'm getting the feeling I didn't make the issue I was grappling with clear. It's the Identity issue, not the Protocol Protection issue. I'm in a modal dialog asking me for a password. How do I know the identity of the site asking me? Particularly when the bits of the URL I care about are truncated off the right hand side of the title bar? (though I don't think a typical user should be expected to parse URLs for identity information). Where in our proposals do we address that? Mez "Doyle, Bill" <wdoyle@mitre.org> 06/26/2007 09:56 AM To "Anil Saldhana" <Anil.Saldhana@redhat.com>, <yngve@opera.com> cc "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-wsc-wg@w3.org> Subject RE: Basic Authentication - what do we have? When used in conjunction with HTTPs, basic authentication is fine and accepted. May even get medium robustness certification in the DoD when used with FIPS 140-2 compliant TLS cipher, but I would have to check that. NTLM, has known issues, didn't think it was used beyond Microsoft platforms. Digests never really took hold and both were superseded by Kerberos V5. Bill D. -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Anil Saldhana Sent: Monday, June 25, 2007 3:10 PM To: yngve@opera.com Cc: Mary Ellen Zurko; public-wsc-wg@w3.org Subject: Re: Basic Authentication - what do we have? I would not consider BASIC, DIGEST, NTLM as anywhere near secure. Yngve Nysaeter Pettersen wrote: > > On Mon, 25 Jun 2007 15:17:29 +0200, Mary Ellen Zurko > <Mary_Ellen_Zurko@notesdev.ibm.com> wrote: > >> What do we have in our set of proposals that addresses trust decisions >> posed by Basic Authentication? The realm information (within the modal >> dialog in the browser I use) is set by the web site. The browser I use >> puts the domain in the title bar. When I have the resolution on my >> display >> cranked down to increase the size of everything (something I do more and >> more these days), the most pertinent part of the domain is truncated >> from >> the right hand side of the dialog's title display. I very much want to >> know that the domain ends in "ibm.com" when I think I'm typing in my IBM >> password. What, if anything, do we have in our proposals that addresses >> this? > > I don't recall having seen anything about this, at least major > discussion. > > I think a discussion of this should not be limited to Basic, but > should include the other methods, such as Digest and NTLM/Negotiate, > as well. > > Opera displays the servername as a field inside the dialog, as well as > the realm, which is presented as a message from the server. > > We are currently considering what we display in this dialog and how it > is displayed, from both a usability and a security point of view. > > Parts of what is being considered are: > > - How to present the security of the credential transmission > > - How to present the identity (at least the hostname) of who is > asking for the credentials in a usable manner. This is a problem that > is not restricted to authentication, but extends to such areas as the > display of the URL in address bar and determining if two servers are > allowed to share cookies. See references below for some discussion and > background on that. > > > http://my.opera.com/yngve/blog/show.dml/267415 > http://weblogs.mozillazine.org/gerv/archives/2007/01/effective_tld_list _help_wanted.html > > http://wiki.mozilla.org/Gecko:Effective_TLD_Service > > > -- Anil Saldhana Project/Technical Lead, JBoss Security & Identity Management JBoss, A division of Red Hat Inc. http://labs.jboss.com/portal/jbosssecurity/
Received on Wednesday, 27 June 2007 21:26:21 UTC