Re: SSL and HTTP Auth Support

Wed, 08 Feb 2006 00:21:52 -0800 


John Panzer wrote:

We plan to support SSL with Basic Auth as a minimum (that is, we will 
not support Basic Auth over plain http).  We'll likely support 
additional proprietary methods as well and I'd be interested in how 
people plan to, e.g,. support RSA tokens.





I'm not yet sure what the full range of authentication options are going 
to be, but the "we plan to support SSL with Basic Auth" is enough to get 
things started.



Are the issues you're running into related to Basic Auth, or https?  And 
would you be interested in sharing your findings?  Might be helpful...





HTTPS and SSL.  Nearly all of the feed readers I've tried support Basic 
Auth to some degree.  For some, it was easy and straightforward... when 
the reader tried to access a feed that required authentication, the 
reader would prompt the user.  For others, how to set credentials for 
authenticated feeds is less than obvious.  Firefox, for instance, will 
not prompt the user for user credentials when trying to load Live 
Bookmarks from an authenticated feed... but if you visit the site once 
and login, or if you include the auth credentials in the bookmark uri, 
it works no problem.



The key challenge is with SSL.  Later this week I'll be conducting a 
more thorough round of testing and will post some results about which 
readers do appear to support SSL and which ones do not.


- James


-John

James M Snell wrote:




One of the critical requirements for our implementation of APP is SSL 
and HTTP authentication (basic for now, eventually, likely something 
stronger).  Unfortunately, we're finding that a great many of the 
available Atom/RSS feed readers on the market don't speak SSL/HTTPS 
and have generally poor usability when it comes to http authentication 
(e.g., only a handful seem to prompt for authentication on demand and 
most will ask for authentication for every feed, even if those feeds 
are on the same host and in the same realm.)



What we need to know, at this point, is what other APP implementors 
are doing as far as security is concerned.  Only clients that can 
speak SSL and Basic Auth are going to be able to access our 
endpoints.  In my personal opinion, all APP clients should be required 
to support both, at a minimum.


thoughts?

- James




























					Reply via email to