Tim,
Probably worth noting that HTTP+TLS with client side certificates
already works over XHR, when the request for a cert comes in the
browsers handle it in the usual way.
That said, this would be /very/ useful, in fact we were just discussing
this today, where I too mentioned TLS and SRP together with other forms
of authentication, and that moving to TLS Extension support would
probably be wise in the long term.
see: http://krijnhoetmer.nl/irc-logs/whatwg/20110203#l-870
through to 14:51 for context
Thanks for raising this,
Nathan
Tim wrote:
Anne, others,
Do you have any opinions on this?
There have recently been some good discussions around HTTP
authentication on IETF mailing lists, and I think having some
flexibility here would be useful in the long run.
tim
On Thu, Jan 06, 2011 at 08:50:00AM -0800, Tim wrote:
Hello,
It occurred to me recently that the way in which the current draft
XMLHttpRequest standard is written could be extended to allow for
other forms of authentication at lower layers. In particular, it
should be possible to allow for the use of pre-shared key
authentication (RFC 4279) or for SRP/TLS based on the credentials
provided in the open() method. For password-based systems in TLS,
it should be a simple matter to just *allow* for such behavior, but
not necessarily define it in detail.
However, it does sort of open the door for more complex authentication
schemes at lower layers, including certificate authentication and the
like. Perhaps optional parameters of some sort would be needed to
support this.
What do you think?
tim