Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation

Tim Morgan <> Mon, 13 December 2010 17:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C0E7128C0EF for <>; Mon, 13 Dec 2010 09:15:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id r0wiIuW8LfqZ for <>; Mon, 13 Dec 2010 09:15:37 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 674AA28C0EC for <>; Mon, 13 Dec 2010 09:15:37 -0800 (PST)
Received: (qmail 28267 invoked from network); 13 Dec 2010 17:21:10 -0000
Received: from unknown (HELO ( by with ESMTPS (DHE-RSA-AES256-SHA encrypted); 13 Dec 2010 17:21:10 -0000
Received: (qmail 2438 invoked from network); 13 Dec 2010 17:14:14 -0000
Received: from ( by with SMTP; 13 Dec 2010 17:14:14 -0000
Received: (nullmailer pid 4529 invoked by uid 1000); Mon, 13 Dec 2010 17:10:33 -0000
Date: Mon, 13 Dec 2010 09:10:33 -0800
From: Tim Morgan <>
To: Dave Cridland <>
Message-ID: <>
References: <> <> <> <> <> <2229.1292235952.971571@puncture> <> <2229.1292239384.281779@puncture> <> <2229.1292253372.639419@puncture>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2229.1292253372.639419@puncture>
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Mailman-Approved-At: Mon, 13 Dec 2010 09:50:37 -0800
Cc: General discussion of application-layer protocols <>, websec <>, Common Authentication Technologies - Next Generation <>, "" <>, "" <>, " Group" <>
Subject: Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Dec 2010 17:36:58 -0000

Hi Everyone,

These last few messages do a great job outlining both the real
problems that face adoption of HTTP authentication without a
customizable user interface, and the fact that HTTP authentication is
perhaps more secure than form-based authentication (as well as being a
requirement for automated/non-GUI clients).

I did some work not long ago on this and found that we can have our
cake and eat it too.  That is, even with current browser
implementations, one can utilize HTTP Basic/Digest with an HTML form
(if desired).  (Yes, once again, HTML forms may allow for easier
phishing, etc, but that is what the HTTP Mutual authentication
proposal can address.)

My position paper is here:

And some proof of concept code for forms-based HTTP authentication can
be found on this page:

The implementation is hacky right now, because, at the time of
development and testing, browsers didn't adhere well to the draft
XMLHttpRequest standard.  I haven't checked the status of browser
implementations, but the proposed standard still requires a behavior
that is workable with such a system.

So all of these pieces are coming together on their own to allow for
forms-based HTTP authentication.  The major outstanding piece needed
for most web applications with HTTP authentication is the ability to
log out.  The ability to instruct a browser, in an standard way
(preferrably with HTTP response headers) to forget the credentials it
has cached.  Writing a draft RFC for this has been on my list for some
time, but I've been quite busy this year.  For those interested, I can
dig up some of the previous discussion threads...