[dix] Re: [Ietf-http-auth] New draft on anti-phishing requirements

[Nicolas Williams <Nicolas.Williams at sun.com>]

On Mon, May 22, 2006 at 12:14:51PM -0400, Robert Sayre wrote:
> On 5/22/06, Eric Rescorla <ekr at networkresonance.com> wrote:
> >1. This is not principally a protocol problem but rather a UI problem.
> >  The protocol problems are generally well understood. If the UI
> >  problems are solved, nearly any protocol will work. In particular,
> >  there have been a number of published designs [1] [2] that have mostly
> >  adequate (though not perfect) protocols, though without complete
> >  solutions to the UI problem.
> 
> One aspect of Sam's document that concerned me was the section on
> possible UI solutions. The requirements around spoofing seem directly
> opposed to the branding and usage patterns that web authors require.
> HTTP authentication currently presents a modal dialog with no design
> control, and this is a significant reason most sites opt for form
> controls.

Sam wants to put control over the UI in the web site's authors' hands.

But he wants this UI tied intimately to a new browser function that is
tied intimately to authentication protocols.

> Roy has previously mentioned that 401 Unauthorized responses should be
> displayed to the user. This would allow a site to embed a new type of
> form control for authentication purposes... but as I mentioned above,
> this intermingling could increase the risk of spoofing.

As Sam says: the browser must change.  There are problems we cannot
solve using nothing more than HTML, HTTP/HTTPS and existing browser
functionality.

Nico
-- 

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix