Re: HTTP Authentication Integration from Bjoern Hoehrmann on 2004-04-01 (www-forms-editor@w3.org from April 2004)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Thu, 01 Apr 2004 18:32:34 +0200
To: "John Boyer" <JBoyer@PureEdge.com>
Cc: <www-forms-editor@w3.org>
Message-ID: <406f3344.1629991974@smtp.bjoern.hoehrmann.de>

* John Boyer wrote:
>the general consensus appeared to be that the problem would be solved
>by the user agent rather than by the form.  As a result, the issue was
>not recorded as a requirement on XForms.

I do not understand how a user agent could solve this problem. A login
form such as found on http://login.yahoo.com/ clearly is a form. If I
want a user agent to use the information provided by the user through
such a form for HTTP's Authentication mechanisms, I would need to tell
it to do so. If XHTML 2.0 does not provide such means, expecting user
agents to solve this essentially means that the XForms WG expects user
agent developers to develop proprietary solutions.

XForms claims to be "the next generation of forms for the Web" and
login facilities are one of the most common forms applications on the
web. Since the web is essentially based on HTTP and HTTP already
provides an authentication back-end, extending web forms to provide a
usable front-end for the existing means makes most sense to me. And it
seems that I am not the only one, the XForms WG lists such a feature in
the XForms Requirements http://www.w3.org/TR/xhtml-forms-req for future
consideration and W3C received proposals on this matter long before the
XForms WG was formed, e.g. <http://www.w3.org/TR/NOTE-authentform>.

As the latter document correctly points out, HTTP authentication
provides poor user experience. If web developers want to work around
the usability problems of HTTP Authentication they need to resort to
different means for authentication. Without much success in practise,
since alternatives typically provide poor user experience too, just
in different areas. In fact, most of these workarounds are a complete
mess.

Developers want to use HTTP Authentication; their most common questions
in this regard are how to integrate the relevant form into their web
site (if only to provide a "lost password" link) and how to provide
means for the user to logout. Both is currently not really possible.
I am certain there is room for improvement here and XForms seems to be
the technology for a solution. Since you disagree, please explain why
you consider this out of scope or, if it is not considered out of scope,
please cite technical arguments against incorporating such functionality
into the next version of XForms.

Telling me that user agents will solve this is not acceptable, the
problem persists for many years without any user agent based solution
and as I have pointed out, any solution I can think of involves
proprietary extensions or alternatives to existing standards which is
not desirable.

regards.

Received on Thursday, 1 April 2004 11:33:05 UTC