Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Nicolas Williams <Nicolas.Williams <at> sun.com>
Subject: Re: [Ietf-http-auth] New draft on anti-phishing requirements
Newsgroups: gmane.ietf.dix
Date: Monday 22nd May 2006 16:18:31 UTC (over 11 years ago)
On Mon, May 22, 2006 at 12:14:51PM -0400, Robert Sayre wrote:
> On 5/22/06, Eric Rescorla  wrote:
> >1. This is not principally a protocol problem but rather a UI problem.
> >  The protocol problems are generally well understood. If the UI
> >  problems are solved, nearly any protocol will work. In particular,
> >  there have been a number of published designs [1] [2] that have mostly
> >  adequate (though not perfect) protocols, though without complete
> >  solutions to the UI problem.
> 
> One aspect of Sam's document that concerned me was the section on
> possible UI solutions. The requirements around spoofing seem directly
> opposed to the branding and usage patterns that web authors require.
> HTTP authentication currently presents a modal dialog with no design
> control, and this is a significant reason most sites opt for form
> controls.

Sam wants to put control over the UI in the web site's authors' hands.

But he wants this UI tied intimately to a new browser function that is
tied intimately to authentication protocols.

> Roy has previously mentioned that 401 Unauthorized responses should be
> displayed to the user. This would allow a site to embed a new type of
> form control for authentication purposes... but as I mentioned above,
> this intermingling could increase the risk of spoofing.

As Sam says: the browser must change.  There are problems we cannot
solve using nothing more than HTML, HTTP/HTTPS and existing browser
functionality.

Nico
--
 
CD: 3ms