RE: Basic Authentication - what do we have? from Close, Tyler J. on 2007-06-27 (public-wsc-wg@w3.org from June 2007)

From: Close, Tyler J. <tyler.close@hp.com>
Date: Wed, 27 Jun 2007 21:48:22 -0000
To: <public-wsc-wg@w3.org>
Message-ID: <08CA2245AFCF444DB3AC415E47CC40AFC825B5@G3W0072.americas.hpqcorp.net>
The PII bar proposal covers this case. The scenario should unfold
exactly as is document here:
 
http://www.w3.org/2006/WSC/drafts/rec/#piieditor-usecases-plain
 
The PII bar proposal is independent of the content-type and so should
work just fine with HTTP auth dialogs.
 
Tyler


________________________________

	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
	Sent: Wednesday, June 27, 2007 2:12 PM
	To: Doyle, Bill
	Cc: public-wsc-wg@w3.org
	Subject: RE: Basic Authentication - what do we have?
	
	

	I'm getting the feeling I didn't make the issue I was grappling
with clear. It's the Identity issue, not the Protocol Protection issue. 
	
	I'm in a modal dialog asking me for a password. How do I know
the identity of the site asking me? Particularly when the bits of the
URL I care about are truncated off the right hand side of the title bar?
(though I don't think a typical user should be expected to parse URLs
for identity information).
	
	Where in our proposals do we address that? 
	
	          Mez
	
	
	
	
	
"Doyle, Bill" <wdoyle@mitre.org> 

06/26/2007 09:56 AM

To
"Anil Saldhana" <Anil.Saldhana@redhat.com>, <yngve@opera.com> 
cc
"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>,
<public-wsc-wg@w3.org> 
Subject
RE: Basic Authentication - what do we have?

	




	When used in conjunction with HTTPs, basic authentication is
fine and
	accepted. May even get medium robustness certification in the
DoD when
	used with FIPS 140-2 compliant TLS cipher, but I would have to
check
	that.
	
	NTLM, has known issues, didn't think it was used beyond
Microsoft
	platforms. Digests never really took hold and both were
superseded by
	Kerberos V5.
	
	Bill D.
	
	
	-----Original Message-----
	From: public-wsc-wg-request@w3.org
	[mailto:public-wsc-wg-request@w3.org] On Behalf Of Anil Saldhana
	Sent: Monday, June 25, 2007 3:10 PM
	To: yngve@opera.com
	Cc: Mary Ellen Zurko; public-wsc-wg@w3.org
	Subject: Re: Basic Authentication - what do we have?
	
	
	I would not consider BASIC, DIGEST, NTLM as anywhere near
secure.
	
	Yngve Nysaeter Pettersen wrote:
	>
	> On Mon, 25 Jun 2007 15:17:29 +0200, Mary Ellen Zurko 
	> <Mary_Ellen_Zurko@notesdev.ibm.com> wrote:
	>
	>> What do we have in our set of proposals that addresses trust
	decisions
	>> posed by Basic Authentication? The realm information (within
the
	modal
	>> dialog in the browser I use) is set by the web site. The
browser I
	use
	>> puts the domain in the title bar. When I have the resolution
on my 
	>> display
	>> cranked down to increase the size of everything (something I
do more
	and
	>> more these days), the most pertinent part of the domain is
truncated
	
	>> from
	>> the right hand side of the dialog's title display. I very
much want
	to
	>> know that the domain ends in "ibm.com" when I think I'm
typing in my
	IBM
	>> password. What, if anything, do we have in our proposals that
	addresses
	>> this?
	>
	> I don't recall having seen anything about this, at least major

	> discussion.
	>
	> I think a discussion of this should not be limited to Basic,
but 
	> should include the other methods, such as Digest and
NTLM/Negotiate, 
	> as well.
	>
	> Opera displays the servername as a field inside the dialog, as
well
	as 
	> the realm, which is presented as a message from the server.
	>
	> We are currently considering what we display in this dialog
and how
	it 
	> is displayed, from both a usability and a security point of
view.
	>
	> Parts of what is being considered are:
	>
	>  - How to present the security of the credential transmission
	>
	>  - How to present the identity (at least the hostname) of who
is 
	> asking for the credentials in a usable manner. This is a
problem that
	
	> is not restricted to authentication, but extends to such areas
as the
	
	> display of the URL in address bar and determining if two
servers are 
	> allowed to share cookies. See references below for some
discussion
	and 
	> background on that.
	>
	>
	>  http://my.opera.com/yngve/blog/show.dml/267415
	>
	
http://weblogs.mozillazine.org/gerv/archives/2007/01/effective_tld_list
	_help_wanted.html 
	>
	>  http://wiki.mozilla.org/Gecko:Effective_TLD_Service
	>
	>
	>
	
	-- 
	Anil Saldhana
	Project/Technical Lead,
	JBoss Security & Identity Management
	JBoss, A division of Red Hat Inc.
	http://labs.jboss.com/portal/jbosssecurity/
Received on Wednesday, 27 June 2007 21:48:44 UTC