>>>>> "Nicolas" == Nicolas Williams <[EMAIL PROTECTED]> writes:
Nicolas> On Mon, May 22, 2006 at 12:14:51PM -0400, Robert Sayre
Nicolas> wrote:
>> On 5/22/06, Eric Rescorla <[EMAIL PROTECTED]> wrote:
>> >1. This is not principally a protocol problem but rather a UI
>> problem. > The protocol problems are generally well
>> understood. If the UI > problems are solved, nearly any
>> protocol will work. In particular, > there have been a number
>> of published designs [1] [2] that have mostly > adequate
>> (though not perfect) protocols, though without complete >
>> solutions to the UI problem.
>>
>> One aspect of Sam's document that concerned me was the section
>> on possible UI solutions. The requirements around spoofing seem
>> directly opposed to the branding and usage patterns that web
>> authors require. HTTP authentication currently presents a
>> modal dialog with no design control, and this is a significant
>> reason most sites opt for form controls.
Nicolas> Sam wants to put control over the UI in the web site's
Nicolas> authors' hands.
Nicolas> But he wants this UI tied intimately to a new browser
Nicolas> function that is tied intimately to authentication
Nicolas> protocols.
>> Roy has previously mentio
Exactly.
I don't think we want today's http authentication dialogues.
Really. the secure UI could be as simple as any of the following:
* You choose what icon is used for bullets in a secure password form
control when you create your account on a computer. The standard
bullet is used if it is a normal HTML control; the one you selected
is used if it is a control that will make the password available
only to the trusted authentication part of the browser.
* You have a keystroke and mouse action that will hide non-trusted components
of the UI.
I'm not a UI designer. I don't know how to come up with a UI that
maximizes the probability that the user will actually notice when they
are typing a password into the wrong place. I'm just trying to
demonstrate that we need not have something as clunky as current http
authentication dialogues.
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
