On Mon, May 22, 2006 at 12:14:51PM -0400, Robert Sayre wrote: > On 5/22/06, Eric Rescorla <[EMAIL PROTECTED]> wrote: > >1. This is not principally a protocol problem but rather a UI problem. > > The protocol problems are generally well understood. If the UI > > problems are solved, nearly any protocol will work. In particular, > > there have been a number of published designs [1] [2] that have mostly > > adequate (though not perfect) protocols, though without complete > > solutions to the UI problem. > > One aspect of Sam's document that concerned me was the section on > possible UI solutions. The requirements around spoofing seem directly > opposed to the branding and usage patterns that web authors require. > HTTP authentication currently presents a modal dialog with no design > control, and this is a significant reason most sites opt for form > controls.
Sam wants to put control over the UI in the web site's authors' hands. But he wants this UI tied intimately to a new browser function that is tied intimately to authentication protocols. > Roy has previously mentioned that 401 Unauthorized responses should be > displayed to the user. This would allow a site to embed a new type of > form control for authentication purposes... but as I mentioned above, > this intermingling could increase the risk of spoofing. As Sam says: the browser must change. There are problems we cannot solve using nothing more than HTML, HTTP/HTTPS and existing browser functionality. Nico -- _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
