lör 2012-02-25 klockan 19:23 +0100 skrev Julian Reschke:
Well, I'm one of the editors of the authentication framework spec, so if
there's something wrong with it, I'd like to know.
Only the thing said earluer
- Define how servers may influence the visible appearance of the login
- Perhaps some way of triggering a logout.
So if we collectively think that the framework probably is ok, and that
we *do* need a new authentication scheme, what's stopping us to start
that activity *right now*?
A cleaned up http digest with less fancy bells no one implements
correctly and stronger methods would do nicely at improving the raw
security side of things.
But at the same time it alone does solve the reasons why HTTP Digest is
not widely used today which is or any of the newer use cases with auth
delegation via trusted third parties.
A very interesting thought is to look into how for example Kerberos
could be implemented as a first class HTTP Auth citizen without
violating HTTP messaging semantics. Is there anything needed at the
framework side for making that work right?
Ietf mailing list