>>>>> "Hallam-Baker," == Hallam-Baker, Phillip <pbaker@xxxxxxxxxxxx> writes:
>> From: Harald Alvestrand [mailto:harald@xxxxxxxxxxxxx] > I don't
>> disagree. The IETF might first try to design an authentication
>> > feature worth requiring. None of the current options are at
>> all > satisfactory.
>>
>> In fact TLS + HTTP Basic Auth is pretty interoperable, secure
>> against quite a few attacks, and widely deployed.
>>
>> The requirements needed to be "satisfactory" depend very much
>> on your viewpoint; last week I talked to the guy who
>> implemented Freenigma (PGP for web mailers,
>> http://www.freenigma.com), and he commented that "this will
>> never get past the security gurus in the IETF because it's so
>> simple, people might actually use it".
>>
>> That says something frightening about the kind of impression we
>> give to people who work on making usable security. "Usable"
>> needs to be an important component of "satisfactory".
Hallam-Baker,> I think the question starts with a false premise,
Hallam-Baker,> that the security layer should be in HTTP. Since
Hallam-Baker,> HTTP is the new IP this makes no more sense than
Hallam-Baker,> having authentication at the IPSEC layer.
For what it's worth, I think there need to be components both at the HTTP and HTML layers.
You want the binding to TLS at the HTTP layer for a number of reasons
including support for DAV, ATOM and other situations where there is no
HTML. It's also easier to bind across one layer than two. Finally,
HTML limits you to one round trip. Sometimes that's undesirable.
However, I think you want the UI, and in the HTML case the
specification of what authentication mechanisms to use to be done in
HTML.
--Sam
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf