Robert Sayre wrote:
On 9/19/06, Russ Allbery <rra@xxxxxxxxxxxx> wrote:
Robert Sayre <sayrer@xxxxxxxxx> writes:
> Thankfully, the complete failure known as HTTP 1.1 would never make it
> to Proposed Standard under the unwritten process we have now. For
> example, it doesn't contain a mandatory, universally interoperable
> authentication feature.
That's right, it doesn't, and the lack of that feature is a first-rate
pain in the ass.
I don't disagree. The IETF might first try to design an authentication
feature worth requiring. None of the current options are at all
satisfactory.
In fact TLS + HTTP Basic Auth is pretty interoperable, secure against
quite a few attacks, and widely deployed.
The requirements needed to be "satisfactory" depend very much on your
viewpoint; last week I talked to the guy who implemented Freenigma (PGP
for web mailers, http://www.freenigma.com), and he commented that "this
will never get past the security gurus in the IETF because it's so
simple, people might actually use it".
That says something frightening about the kind of impression we give to
people who work on making usable security. "Usable" needs to be an
important component of "satisfactory".
(He's quite aware of the obvious security defects of his scheme, btw.
It's a tradeoff.)
Harald
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf