Return-Path: X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E717721F9D35 for ; Wed, 17 Jul 2013 00:03:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.549 X-Spam-Level: X-Spam-Status: No, score=-10.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sWjixcUfqkZx for ; Wed, 17 Jul 2013 00:03:16 -0700 (PDT) Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 10F1121F9D2C for ; Wed, 17 Jul 2013 00:03:16 -0700 (PDT) Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from ) id 1UzLki-0000km-D6 for ietf-http-wg-dist@listhub.w3.org; Wed, 17 Jul 2013 07:02:20 +0000 Resent-Date: Wed, 17 Jul 2013 07:02:20 +0000 Resent-Message-Id: Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from ) id 1UzLkZ-0000ik-Uz for ietf-http-wg@listhub.w3.org; Wed, 17 Jul 2013 07:02:11 +0000 Received: from smtp.checkpoint.com ([194.29.34.68]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1UzLkY-0003eC-El for ietf-http-wg@w3.org; Wed, 17 Jul 2013 07:02:11 +0000 Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r6H71guH012128 for ; Wed, 17 Jul 2013 10:01:42 +0300 X-CheckPoint: {51E64156-2-1B221DC2-1FFFF} Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.48]) by IL-EX10.ad.checkpoint.com ([169.254.2.91]) with mapi id 14.02.0342.003; Wed, 17 Jul 2013 10:01:42 +0300 From: Yoav Nir To: HTTP Working Group Thread-Topic: Authentication over HTTP Thread-Index: AQHOgOhES0WdbZPy4Uas4RMGBbjKjJllG2kAgAGKsICAAD2RAIAAL3yAgABOEQCAANBTgIAACWsAgAAH6oA= Date: Wed, 17 Jul 2013 07:01:41 +0000 Message-ID: References: <51E5428D.7010008@treenet.co.nz> <51E632CB.9010107@treenet.co.nz> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [91.90.139.159] x-kse-antivirus-interceptor-info: protection disabled x-cpdlp: 1164ab132bd8a02ade0af449d3b5a2993b4232c48a Content-Type: text/plain; charset="us-ascii" Content-ID: <80A6B368627CFD438F7F204A64D3A5FC@ad.checkpoint.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Received-SPF: pass client-ip=194.29.34.68; envelope-from=ynir@checkpoint.com; helo=smtp.checkpoint.com X-W3C-Hub-Spam-Status: No, score=-6.2 X-W3C-Hub-Spam-Report: AWL=-0.739, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.421, SPF_PASS=-0.001 X-W3C-Scan-Sig: lisa.w3.org 1UzLkY-0003eC-El ab31d3fc6da69f332dbe83fad9d06213 X-Original-To: ietf-http-wg@w3.org Subject: Re: Authentication over HTTP Archived-At: Resent-From: ietf-http-wg@w3.org X-Mailing-List: archive/latest/18819 X-Loop: ietf-http-wg@w3.org Resent-Sender: ietf-http-wg-request@w3.org Precedence: list List-Id: List-Help: List-Post: List-Unsubscribe: On Jul 17, 2013, at 9:33 AM, David Morris wrote: > On Wed, 17 Jul 2013, Amos Jeffries wrote: >=20 >>=20 >> What am I missing? >=20 > How about the user experience sucks because the authentication doesn't fi= t > into the style/face of the application and doesn't provide sufficient use= r > context for the prompts generated by the auth mechanicanism so the > application owners design and implement their own approach? Oh, and no > logout mechanism to cancel browser caching of credentials? There is at least one attempt to address the user experience issue, by havi= ng an unauthenticated as well as an authenticated version of the page (pres= umably with the unauthenticated version pointing you at the credential entr= y box that is located in the chrome of the browser) There's even a modified browser to demonstrate this: https://www.rcis.aist.go.jp/special/MutualAuth/index-en.html Yoav (who is in no way affiliated with this site, but is the chair of http-= auth where their draft is discussed)