> From: Harald Alvestrand [mailto:harald@xxxxxxxxxxxxx] > > I don't disagree. The IETF might first try to design an > authentication > > feature worth requiring. None of the current options are at all > > satisfactory. > > In fact TLS + HTTP Basic Auth is pretty interoperable, secure > against quite a few attacks, and widely deployed. > > The requirements needed to be "satisfactory" depend very much > on your viewpoint; last week I talked to the guy who > implemented Freenigma (PGP for web mailers, > http://www.freenigma.com), and he commented that "this will > never get past the security gurus in the IETF because it's so > simple, people might actually use it". > > That says something frightening about the kind of impression > we give to people who work on making usable security. > "Usable" needs to be an important component of "satisfactory". I think the question starts with a false premise, that the security layer should be in HTTP. Since HTTP is the new IP this makes no more sense than having authentication at the IPSEC layer. The place for the authentication layer is actually HTML and that is out of scope. Moreover there has to be deep level support in the O/S if the authentication layer is going to be robust. If we take the traditional IETF view of security perfectionism then the only answer on the table is the WS-* based identity metasystem, CardSpace, Higgins etc running on top of trustworthy hardware. If we take a more pragmatic view (I hope we do) then we accept that we have to have something else on tap that we can use now, OpenID has a lot to offer. Regardless of which view we take it is clear that it would be most beneficial if the two approaches were to meet in the middle. Starting the tunnel at both ends at once only save time if the two tunnels actually meet up. >From a security point of view it is clear to me that neither approach has any bearing on HTTP. Or rather to the extend that it does the bearing is minimal. So I don't see any real purpose in delaying the advance of HTTP to full standard. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf