Re: [apps-discuss] [http-auth] [websec] [saag] [kitten] HTTP authentication: the next generation
"Henry B. Hotz" <hotz@jpl.nasa.gov> Mon, 13 December 2010 22:59 UTC
Return-Path: <hotz@jpl.nasa.gov>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9B02E3A6E17; Mon, 13 Dec 2010 14:59:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aUbgw5CTrroQ; Mon, 13 Dec 2010 14:59:21 -0800 (PST)
Received: from mail.jpl.nasa.gov (sentrion1.jpl.nasa.gov [128.149.139.105]) by core3.amsl.com (Postfix) with ESMTP id 74E583A6E08; Mon, 13 Dec 2010 14:59:21 -0800 (PST)
Received: from laphotz.jpl.nasa.gov (laphotz.jpl.nasa.gov [128.149.133.44]) (authenticated (0 bits)) by smtp.jpl.nasa.gov (Switch-3.4.3/Switch-3.4.3) with ESMTP id oBDN0lTC010816 (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits) verified NO); Mon, 13 Dec 2010 15:00:48 -0800
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
In-Reply-To: <4D0672F2.4070600@extendedsubset.com>
Date: Mon, 13 Dec 2010 15:00:46 -0800
Content-Transfer-Encoding: 7bit
Message-Id: <A4FF962A-C83E-41CE-B5AB-9692474A29C0@jpl.nasa.gov>
References: <4D02AF81.6000907@stpeter.im> <p06240809c928635499e8@[10.20.30.150]> <ADDEC353-8DE6-408C-BC75-A50B795E2F6C@checkpoint.com> <78BD0B98-0F20-478B-85F1-DBB45691EB0D@padl.com> <4D0479E3.4050508@gmail.com> <4D04D7D6.4090105@isode.com> <A23730A9-728B-4533-96D7-0B62496CC98A@checkpoint.com> <4D051731.1020400@isode.com> <4D054041.7010203@cisco.com> <0435D11C-DF55-464D-B23F-F5D114DEE2C3@checkpoint.com> <2229.1292235952.971571@puncture> <4D05FB8F.3070804@qbik.com> <2229.1292239384.281779@puncture> <96517E19-5DC7-47A0-8C21-C710F6F8F772@tzi.org> <5D5AF795-22AB-4726-B791-3706693466C3@checkpoint.com> <4D063CA5.8060907@gmail.com> <878FA115-D801-4063-AD87-DB2C2B2DE0D1@checkpoint.com> <4D0672F2.4070600@extendedsubset.com>
To: Marsh Ray <marsh@extendedsubset.com>
X-Mailer: Apple Mail (2.1081)
X-Source-IP: laphotz.jpl.nasa.gov [128.149.133.44]
X-Source-Sender: hotz@jpl.nasa.gov
X-AUTH: Authorized
X-Mailman-Approved-At: Tue, 14 Dec 2010 08:57:49 -0800
Cc: "Common@core3.amsl.com" <Common@core3.amsl.com>, protocols <apps-discuss@ietf.org>, Yoav Nir <ynir@checkpoint.com>, websec <websec@ietf.org>, "General@core3.amsl.com" <General@core3.amsl.com>, Generation <kitten@ietf.org>, Yaron Sheffer <yaronf.ietf@gmail.com>, "http-auth@ietf.org" <http-auth@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [apps-discuss] [http-auth] [websec] [saag] [kitten] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Dec 2010 22:59:22 -0000
On Dec 13, 2010, at 11:24 AM, Marsh Ray wrote: > So IMHO, significant improvements in web authentication would be greatly > beneficial. But they will have to: > > * Require connection integrity. This probably means mandatory TLS. > > * Require a user interaction that takes place outside the insecure > browser rectangle and feels different enough that it's easy to explain > the difference. > > * Not leak info to untrusted parties. These days privacy is often more > important than traditional security. > > * Support browser vendors in making a UI that "sucks less" to have to > use, or possibly have to use it less. Put users in control of their > identity and auth credentials without nagging them repeatedly until they > give in and click the "Yes to all" button. > > * Represent an actual improvement in security over the current standard > of HTML form POST password and secret HTTP session cookie. > > - Marsh +1 ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
- Re: [apps-discuss] HTTP authentication: the next … Mark Nottingham
- [apps-discuss] HTTP authentication: the next gene… Peter Saint-Andre
- Re: [apps-discuss] [saag] HTTP authentication: th… Paul Hoffman
- Re: [apps-discuss] [kitten] HTTP authentication: … Nicolas Williams
- Re: [apps-discuss] [saag] HTTP authentication: th… Henry B. Hotz
- Re: [apps-discuss] [websec] HTTP authentication: … Marsh Ray
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Josh Howlett
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Alexey Melnikov
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Josh Howlett
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Luke Howard
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yaron Sheffer
- Re: [apps-discuss] [saag] HTTP authentication: th… Yoav Nir
- Re: [apps-discuss] [saag] HTTP authentication: th… Yoav Nir
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yoav Nir
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yoav Nir
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Alexey Melnikov
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Eliot Lear
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Roy T. Fielding
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Cridland
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Cridland
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Eliot Lear
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Carsten Bormann
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Eliot Lear
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Cridland
- Re: [apps-discuss] [websec] HTTP authentication: … Julian Reschke
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Adrien de Croy
- Re: [apps-discuss] [saag] [kitten] HTTP authentic… Alan DeKok
- Re: [apps-discuss] [websec] [saag] HTTP authentic… Ben Laurie
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Dave Raggett
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Marsh Ray
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Tim Morgan
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Yaron Sheffer
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Yoav Nir
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Yoav Nir
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Yoav Nir
- Re: [apps-discuss] [http-auth] [websec] [saag] [k… Henry B. Hotz
- Re: [apps-discuss] [http-auth] [websec] [saag] HT… Henry B. Hotz
- Re: [apps-discuss] [websec] [saag] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Nicolas Williams
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Nicolas Williams
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Steven Bellovin
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … John C Klensin
- Re: [apps-discuss] [http-auth] [websec] HTTP auth… Tim Morgan
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … John C Klensin
- Re: [apps-discuss] [saag] [kitten] HTTP authentic… Joel Jaeggli
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … der Mouse
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… der Mouse
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… Tim
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Adrien de Croy
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Nathan
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Adrien de Croy
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Josh Howlett
- Re: [apps-discuss] [websec] [saag] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Jeffrey Hutzelman
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Ben Laurie
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … David Morris
- Re: [apps-discuss] [kitten] [saag] HTTP authentic… Robert Sayre
- Re: [apps-discuss] [websec] [kitten] [saag] HTTP … Tim
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [websec] [saag] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … der Mouse
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Blaine Cook
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Phillip Hallam-Baker
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [http-auth] [saag] [websec] [k… Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Blaine Cook
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Blaine Cook
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Ben Laurie
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Marsh Ray
- Re: [apps-discuss] [saag] [websec] [kitten] HTTP … Theodore Tso