Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It seems like what would be useful would be a way of bringing in trusted third-parties into authentication that didn't look like a man-in-the-middle attack, and didn't rely on JavaScript.

SAML "federation" (e.g. Shibboleth) is layered on top of HTML+HTTP,
but it, and most of the other existing WebSSO systems, rely on JavaScript tricks somewhere in their process.

Trusted third parties are presently more the domain of certificates or Kerberos, than HTTP as such.

SASL is another framework for layering authentication onto protocols, that's been worked on considerably. But I don't know if it can meet the needs of the browser-based market now being served by forms+cookies+JavaScript.

Finding a single authentication/authorization framework that serves the needs of both browser and non-broswer clients is hard.

Scott Cantor has written a lot about why global logout for Shibboleth is hard to implement. Part of that may rest on the underlying legacy mechanisms they are using, but it's also a communication problem.

Having a local logout that really meant "stop sending cookies and credentials for realm X to these servers" and/or authentication realms that spanned servers might help, I don't know.

--
    Albert Lunde  albert-lunde@xxxxxxxxxxxxxxxx
                  atlunde@xxxxxxxxx  (address for personal mail)
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]