Robert Sayre wrote:
On 9/19/06, Russ Allbery [EMAIL PROTECTED] wrote:
Robert Sayre [EMAIL PROTECTED] writes:
Thankfully, the complete failure known as HTTP 1.1 would never make it
to Proposed Standard under the unwritten process we have now. For
example, it doesn't contain a mandatory,
On Tue, 19 Sep 2006, Harald Alvestrand wrote:
In fact TLS + HTTP Basic Auth is pretty interoperable, secure against quite a
few attacks, and widely deployed.
But mostly ignored, because the user interface is dreadful. Practically
all websites use one of the ad-hoc mechanisms that Russ referred
From: Harald Alvestrand [mailto:[EMAIL PROTECTED]
I don't disagree. The IETF might first try to design an
authentication
feature worth requiring. None of the current options are at all
satisfactory.
In fact TLS + HTTP Basic Auth is pretty interoperable, secure
against quite a few
Hallam-Baker, Phillip wrote:
I think the question starts with a false premise, that the security layer
should be in HTTP. Since HTTP is the new IP this makes no more sense than
having authentication at the IPSEC layer.
I think the concept of THE security layer is a false premise. There's
Robert Sayre wrote:
On 9/19/06, Harald Alvestrand [EMAIL PROTECTED] wrote:
Robert Sayre wrote:
I don't disagree. The IETF might first try to design an authentication
feature worth requiring. None of the current options are at all
satisfactory.
In fact TLS + HTTP Basic Auth is pretty
Harald,
The below is an easy mis-construction to make - from discussion
within the IETF, involving security experts.
What I believe I've actually seen is along the lines of we don't
want your favorite security/authentication because it is likely to be
mis-represented as having
On Tue Sep 19 18:50:41 2006, Robert Sayre wrote:
Tony Finch wrote:
The implementations fail to use the negotiation features to
work securely when possible, and instead baffle users with
terrible user
interfaces bristling with options.
Negotiation features don't work very well in practice so
Hallam-Baker, == Hallam-Baker, Phillip [EMAIL PROTECTED] writes:
From: Harald Alvestrand [mailto:[EMAIL PROTECTED] I don't
disagree. The IETF might first try to design an authentication
feature worth requiring. None of the current options are at
all satisfactory.
Hallam-Baker, Phillip [EMAIL PROTECTED] writes:
I think the question starts with a false premise, that the security
layer should be in HTTP. Since HTTP is the new IP this makes no more
sense than having authentication at the IPSEC layer.
The place for the authentication layer is actually