> > Yes it does :/ But I think it's easier to get sites to implement OpenID > > then it is to support HTTP Auth with certificates. Do you think it is > > possible to use OpenID without cookies? > > I suspect it's difficult to use OpenID without cookies in today's > browsers. The challenge is you need some way to bind the session to > the user's browser. It might be interesting to think about ways that > browsers could make OpenID (or an OpenID-like federated identity > system) more awesome.
I think it would be possible to utilize digest authentication's multi-domain protection spaces along with something like OpenID. Of course this would almost certainly require changes to standards. Note that digest authentication can be used to pass cryptographic cookies between servers, so back-end data transfers aren't necessarily needed. If browser user interfacdes were just a little bit easier to work with for HTTP auth generally, then this could be a very viable option. > Tim, I need to read your paper in more detail, but could you summarize > what problem you're trying to solve by avoiding cookies? Security problems. The introductory paragraphs provide a good overview of the paper's structure, and the early sections provide the laundry list of details why cookies are often unsafe in practice. I look forward to any comments you have. Thanks! tim _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
