ietf
[Top] [All Lists]

RE: Next step on web phishing draft(draft-hartman-webauth-phishing-05.txt)

2007-09-09 18:52:25
From: Iljitsch van Beijnum [mailto:iljitsch(_at_)muada(_dot_)com] 

During the reading of this document, it occurred to me that 
HTTP digest authentication (RFC 2617) rather than the widely 
used practice of having security credentials be typed into an 
HTTP form would achieve 90% of the requirements all by 
itself. 

Well maybe if people had listened to me then :-)

But at this point fifteen years later Digest is not the way to go. First Digest 
was designed under the express constraint of avoiding patent encumberances. RSA 
and D-H were both off the table at the time.

If I was to redo Digest today or expand its scope I would do it differently. 
The main reason I would not is that SAML and WS-* both provide an excellent 
solution. I very much like and support the Cardspace idea of building into the 
O/S platform. I very much like the OpenID concept of making the barrier to 
entry very low. I would like to arrive at a happy combination of the existing 
proposals not see more proposals put on the table at this point.


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>