Re: [apps-discuss] [http-auth] [websec] [saag] HTTP authentication: the next generation

["Henry B. Hotz" <hotz@jpl.nasa.gov>]

On Dec 13, 2010, at 4:08 AM, Ben Laurie wrote:

> On 11 December 2010 23:10, Yoav Nir <ynir@checkpoint.com> wrote:
>> TLS client certificates work, but as we've learned both with the web and with IPsec clients, people would much rather not use them. A few IETFs ago (Chicago?), a bunch of us tried to push the idea of TLS with EAP authentication.
> 
> I think what we've learnt is that we need to provide good UI and
> portability if we want people to use them.

I think it's a "complete system" problem.

You need a decent UI paradigm (not just a GUI), a respectable means of issuing/deploying them, a respectable means of storing them for use by multiple applications, and APIs and hooks that make them as easy to develop with as cookies.  Also all the capability needs to already be in place, so there's no "plug-in installation" or equivalent.

By "respectable" I mean something a security expert won't laugh at, which doesn't also violate the UI paradigm.

For all the people who say that we don't have to have perfect security, or we need to support http:, not just https:, I respectfully claim that you're off base.  We don't need *more* less-than-secure mechanisms.  We need actually-secure mechanisms that real people can actually use.

TLS with client certs qualifies as "actually-secure" (as would TLS with draft-williams..sasl..04).  Wouldn't we be better off putting our energy into making it actually-usable, than in starting from scratch?
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu