On 9/19/06, Harald Alvestrand <[EMAIL PROTECTED]> wrote:
Robert Sayre wrote:
>
> I don't disagree. The IETF might first try to design an authentication
> feature worth requiring. None of the current options are at all
> satisfactory.
In fact TLS + HTTP Basic Auth is pretty interoperable, secure against
quite a few attacks, and widely deployed.
Ah, this is the "wink, wink" approach to mandatory authentication.
Specify something no one uses. Here is my bank's web site:
<http://www.chase.com/>. It looks like a phishing attack.
That says something frightening about the kind of impression we give to
people who work on making usable security. "Usable" needs to be an
important component of "satisfactory".
(He's quite aware of the obvious security defects of his scheme, btw.
It's a tradeoff.)
Fully agree. Many non-standard schemes are more secure and more usable
than the IETF options, though.
Tony Finch wrote:
The implementations fail to use the negotiation features to
work securely when possible, and instead baffle users with terrible user
interfaces bristling with options.
Negotiation features don't work very well in practice so client
vendors don't rely on them.
--
Robert Sayre
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf
