IETF Logo Mail Archive

Re: Authentication over HTTP

Yoav Nir <ynir@checkpoint.com> Wed, 17 July 2013 07:03 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E717721F9D35 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Jul 2013 00:03:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.549
X-Spam-Level:
X-Spam-Status: No, score=-10.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sWjixcUfqkZx for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Jul 2013 00:03:16 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 10F1121F9D2C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 17 Jul 2013 00:03:16 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UzLki-0000km-D6 for ietf-http-wg-dist@listhub.w3.org; Wed, 17 Jul 2013 07:02:20 +0000
Resent-Date: Wed, 17 Jul 2013 07:02:20 +0000
Resent-Message-Id: <E1UzLki-0000km-D6@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <ynir@checkpoint.com>) id 1UzLkZ-0000ik-Uz for ietf-http-wg@listhub.w3.org; Wed, 17 Jul 2013 07:02:11 +0000
Received: from smtp.checkpoint.com ([194.29.34.68]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <ynir@checkpoint.com>) id 1UzLkY-0003eC-El for ietf-http-wg@w3.org; Wed, 17 Jul 2013 07:02:11 +0000
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r6H71guH012128 for <ietf-http-wg@w3.org>; Wed, 17 Jul 2013 10:01:42 +0300
X-CheckPoint: {51E64156-2-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.48]) by IL-EX10.ad.checkpoint.com ([169.254.2.91]) with mapi id 14.02.0342.003; Wed, 17 Jul 2013 10:01:42 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: Authentication over HTTP
Thread-Index: AQHOgOhES0WdbZPy4Uas4RMGBbjKjJllG2kAgAGKsICAAD2RAIAAL3yAgABOEQCAANBTgIAACWsAgAAH6oA=
Date: Wed, 17 Jul 2013 07:01:41 +0000
Message-ID: <C4372D96-77AC-4F1E-AE5E-B87E4772084A@checkpoint.com>
References: <CE0AD74C.22464%Josh.Howlett@ja.net> <51E5428D.7010008@treenet.co.nz> <CAK3OfOg9JZbcnZhHSNrfSViNeV+wyctwYzSKhXpjGf3f_gP+VQ@mail.gmail.com> <51E632CB.9010107@treenet.co.nz> <alpine.LRH.2.01.1307162329540.26279@egate.xpasc.com>
In-Reply-To: <alpine.LRH.2.01.1307162329540.26279@egate.xpasc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [91.90.139.159]
x-kse-antivirus-interceptor-info: protection disabled
x-cpdlp: 1164ab132bd8a02ade0af449d3b5a2993b4232c48a
Content-Type: text/plain; charset="us-ascii"
Content-ID: <80A6B368627CFD438F7F204A64D3A5FC@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Received-SPF: pass client-ip=194.29.34.68; envelope-from=ynir@checkpoint.com; helo=smtp.checkpoint.com
X-W3C-Hub-Spam-Status: No, score=-6.2
X-W3C-Hub-Spam-Report: AWL=-0.739, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.421, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UzLkY-0003eC-El ab31d3fc6da69f332dbe83fad9d06213
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Authentication over HTTP
Archived-At: <http://www.w3.org/mid/C4372D96-77AC-4F1E-AE5E-B87E4772084A@checkpoint.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18819
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Jul 17, 2013, at 9:33 AM, David Morris <dwm@xpasc.com> wrote:

> On Wed, 17 Jul 2013, Amos Jeffries wrote:
> 
>> 
>> What am I missing?
> 
> How about the user experience sucks because the authentication doesn't fit
> into the style/face of the application and doesn't provide sufficient user
> context for the prompts generated by the auth mechanicanism so the
> application owners design and implement their own approach? Oh, and no
> logout mechanism to cancel browser caching of credentials?

There is at least one attempt to address the user experience issue, by having an unauthenticated as well as an authenticated version of the page (presumably with the unauthenticated version pointing you at the credential entry box that is located in the chrome of the browser)

There's even a modified browser to demonstrate this:

https://www.rcis.aist.go.jp/special/MutualAuth/index-en.html

Yoav (who is in no way affiliated with this site, but is the chair of http-auth where their draft is discussed)

v2.23.0 | Report a Bug | By Email