Arian, Sorry for the slow reply. I'm overseas right now and it's tough to keep up with email. I think this thread might be about dead, but I will respond to a few comments: > All good ideas, but I believe stillborn at this point. You would get > far more mileage IMO out of promoting "HTTP 2.0" and issuing in a > separate data and control channel for the browser, and then look at > something like this for dynamic auth tokens, combined with data > structure nonces as well. Kill two birds with one stone. Folks that > want strong dynamic auth are probably largely the same folks who want > strong data structures enforced. Far too often security initiatives fail to gain any momentum because they bite of far more than they can chew. I'd love to redesign digest authentication, for instance, or push for good browser support of some truly safe HTTP authentication protocols, but that would be much more likely to fail. I see this as a relatively easy fix to open up a new option in web app development. > As more and more app development moves to hardware platforms > (iAppleStuffs) and social media aka Ad-metadata networks (Facebook, > Google *.google.com apps, webmail, etc.) cookies are an easy and > transparent way to fly, that work now, all the time, and have clear > business drivers behind them for auth tracking (and working now, all > the time). > > Many modern web 2.0 products use cookies for auth = tracking, not auth > = confidentiality. I never said cookies should go away. I merely want cookies to stop being used for managing authenticated sessions in most applications. Some applications may still require that flexibility, however, and for those they can be more carefully audited. > The majority of internet users use modern apps where auth = "identity > tracking and sharing", and statistics support this. > > These same users will readily glue their private, regulated, banking > apps together with Farmville in some mad web 2.0 gadget-ridden mashup, > that is cross-domain shared and scripted by default. Which is one area > cookies rule. Well, sure, they do currently rule. There's no reason HTTP authentication can't be used to authenticate a cross-origin unified identity. > I'm going to drop out of this thread as we are at a point where we > disagree on premise, and possibly ideology. I'm fine to agree on disagreeing as well. Cheers, tim
