On 5/22/06, Eric Rescorla <[EMAIL PROTECTED]> wrote:
1. This is not principally a protocol problem but rather a UI problem. The protocol problems are generally well understood. If the UI problems are solved, nearly any protocol will work. In particular, there have been a number of published designs [1] [2] that have mostly adequate (though not perfect) protocols, though without complete solutions to the UI problem.
One aspect of Sam's document that concerned me was the section on possible UI solutions. The requirements around spoofing seem directly opposed to the branding and usage patterns that web authors require. HTTP authentication currently presents a modal dialog with no design control, and this is a significant reason most sites opt for form controls. Roy has previously mentioned that 401 Unauthorized responses should be displayed to the user. This would allow a site to embed a new type of form control for authentication purposes... but as I mentioned above, this intermingling could increase the risk of spoofing. -- Robert Sayre _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
