Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation

Carsten Bormann <> Mon, 13 December 2010 12:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AB5B63A6D9E; Mon, 13 Dec 2010 04:12:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.316
X-Spam-Status: No, score=-106.316 tagged_above=-999 required=5 tests=[AWL=-0.067, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vlx35im81SA2; Mon, 13 Dec 2010 04:12:35 -0800 (PST)
Received: from ( [IPv6:2001:638:708:30c9:209:3dff:fe00:7136]) by (Postfix) with ESMTP id A20C03A6DAA; Mon, 13 Dec 2010 04:12:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
Received: from ( []) by (8.14.3/8.14.3) with ESMTP id oBDCE5FS003904; Mon, 13 Dec 2010 13:14:05 +0100 (CET)
Received: from [] ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 908AF497; Mon, 13 Dec 2010 13:14:04 +0100 (CET)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Carsten Bormann <>
In-Reply-To: <2229.1292239384.281779@puncture>
Date: Mon, 13 Dec 2010 13:14:03 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <p06240809c928635499e8@[]> <> <> <> <> <> <> <> <> <2229.1292235952.971571@puncture> <> <2229.1292239384.281779@puncture>
To: General discussion of application-layer protocols <>,
X-Mailer: Apple Mail (2.1082)
Cc: Common Authentication Technologies - Next Generation <>, websec <>,, " Group" <>
Subject: Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Dec 2010 12:12:36 -0000

On Dec 13, 2010, at 12:23, Dave Cridland wrote:

> every webapp currently uses a form

Yes.  Nice demonstration of conflicting requirements.

As a webapp developer, I want to control the user interface during authentication.
Leaving the user alone with the bland and unforgiving browser user interface for HTTP auth is suicide.
I want to provide extra buttons for forgotten passwords, maybe even password hints, and a "sign up" method.
HTML/CSS/JS lends itself well to providing such a friendly user interface.

As a security geek, I recognize this as exactly the problem that creates the potential for phishing.
Having the user type credentials into a random form is never going to be secure, HSTS notwithstanding.

Maybe the only way to address both requirements is to have something in HTML/CSS/JS that addresses authentication interactions.
Replacing <input type="password"/> for the 21st century.  This would allow web app designers to design a nice context for this interaction, and would allow running security protocols that are binding themselves to a browser-server security association that may be identical to or different from the TLS envelope.  "Storing passwords" in the browser might turn into storing those security associations.

This is not "HTTP authentication", but it might be more useful in the long run.
We'll need the browser people to start any such effort.

Gruesse, Carsten

PS.: And I'd still like to have some better form of authentication for machine-to-machine that can be independent from the TLS envelope.  But that is a completely different animal.