On 1/27/10 12:20 PM, Timothy D. Morgan wrote: > Cool, there are some great UI ideas there. I particularly like the > examples that eliminate favicons. ;-) > > I would think that moving toward HTTP authentication schemes, such as > digest, would make it much easier to automate a good identity manager. > Would you agree?
We can't control what web sites do, but if we make the experience nicer more sites may be encouraged to use things like HTTP Auth. Personally I'd like to see client certs used for auth but we really have a lot of work to do to make that a pleasant experience for anyone. > Another thought I had on performing logouts, which is not presented in > the paper, is that if the XMLHttpRequest W3C standard is finalized and > fully adopted by browsers as is, then one might be able to use > JavaScript to clear credentials As someone who regularly disables JavaScript I'd hate to see client auth require it. >> You must be the Tim who started the "Past proposals for HTTP Auth >> Logout" thread and if so you're already involved in the right place for >> that. > > Heh, you did your homework. Yes, I did start that thread. No creepy stalking involved, honest :-) I remembered the topic came up on the httpbis mailing list recently so I went to see if they had reached any kind of consensus in the group. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
