albinowax / browsersec

Automatically exported from code.google.com/p/browsersec
10 stars 3 forks source link

Should mention new works on HTTP strong authentication mechanisms #14

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Part3. HTTP authentication

[CURRENT]
Because of these limitations and the relative inflexibility of this scheme
to begin with, HTTP authentication has been almost completely extinct on
the Internet, and replaced with custom solutions built around HTTP cookies
(it is still sometimes used for intranet applications or for simple access
control for personal resources).
[END CURRENT]

[PROPOSAL]
A)New work on HTTP strong authenticaton mechanisms in form of DRAFT
http://tools.ietf.org/html/draft-hartman-webauth-phishing-09
http://www.ietf.org/internet-drafts/draft-ietf-httpbis-security-properties-02.tx
t

B)NTLM and basic auth tt's still used too for proxy access and many web
APIs use this mechanism (Not widely used for interactive human usage)

C)Many sites moved away from HTTP authentication mostly because there
wasn't good UI in the browser (not because technical aspects of digest
and basic)

D)There is a need for a robust framework where new schemes can be plugged
more easily and making the HTTP authentication more visually and attractive
in the browser world

E)Some humour with HTTP authentication implementations
http://bitworking.org/news/Problems_with_HTTP_Authentication_Interop 

Original issue reported on code.google.com by ecasb...@gmail.com on 3 Jan 2009 at 12:56

GoogleCodeExporter commented 9 years ago
There are literally hundreds of unimplemented IETF / W3C / WHATWG drafts and
recommendations for HTTP, HTML, and related mechanisms, as well as thousands of 
more
loosely proposed extensions and improvements. 

To avoid bloat and overloading the document with such non-actionable 
information, I
tried to keep references of this type to a very minimum. I do link to HTML5 
efforts,
for example, as they serve as an umbrella for a number of plausible extensions 
and
improvements that are being proposed and/or actively pursued by browser 
vendors, but
I stayed away from more speculative references. 

In this particular case, "draft-hartman-webauth-phishing-09" gives under 40 
hits on
the web if you do not count copies of the draft itself, so I think it would be
productive to wait at least until a broader discussion of the proposal takes 
place.

Original comment by lcam...@gmail.com on 3 Jan 2009 at 3:29