On Mon, May 22, 2006 at 12:14:51PM -0400, Robert Sayre wrote:
> On 5/22/06, Eric Rescorla wrote:
> >1. This is not principally a protocol problem but rather a UI problem.
> > The protocol problems are generally well understood. If the UI
> > problems are solved, nearly any protocol will work. In particular,
> > there have been a number of published designs   that have mostly
> > adequate (though not perfect) protocols, though without complete
> > solutions to the UI problem.
> One aspect of Sam's document that concerned me was the section on
> possible UI solutions. The requirements around spoofing seem directly
> opposed to the branding and usage patterns that web authors require.
> HTTP authentication currently presents a modal dialog with no design
> control, and this is a significant reason most sites opt for form
Sam wants to put control over the UI in the web site's authors' hands.
But he wants this UI tied intimately to a new browser function that is
tied intimately to authentication protocols.
> Roy has previously mentioned that 401 Unauthorized responses should be
> displayed to the user. This would allow a site to embed a new type of
> form control for authentication purposes... but as I mentioned above,
> this intermingling could increase the risk of spoofing.
As Sam says: the browser must change. There are problems we cannot
solve using nothing more than HTML, HTTP/HTTPS and existing browser