W3C Note - User Agent Authentication FORM elements
- Hey - I just found out there was a note back in 1999 about using HTML forms
to do authentication.
I haven't read it fully, but this is one of my pet peeves with HTTP and the
'visual Web' - no visibility of security information in messages. (leading
to sessions, cookies, wacky urls, etc.)
This proposal suggests extensions to HTML forms to overcome their present
security problems by integrating them with HTTP (or other security sublayer)
mechanisms. It calls for a new type of form; the AUTHFORM and new values for
the TYPE attribute of the INPUT element and SELECT block.
- S. Alexander Jacobson wrote:
> I'm sorry. I was waayy too strident (too littleI don't believe it is. The identity of a thing shouldn't be coupled to
> Anyway, the question remains: Is it RESTful for
> resources to be parametrized by authentication
any Access Control List information I have about that thing.
Another reason: try to write RDF statements about a bank account, where
that bank account is identified in a relative way.
Relative ID: http://example.bank.com/account
You can't write anything about that account because to truely identify
it, you need ACL information. And in the HTTP world, the authentication
is done outside the URI.
If you had an absolute ID for a bank account, then you can actually say
things about it.
Absolute ID: http://example.bank.com/account/12345
Then, this becomes possible (in RDF):
You can't do the above w/ the Relative ID. All the RDF statements would
end up saying that *everyone* owns account http://example.bank.com/account.
This is all true, because HTTP's authentication is done at the protocol
level, and independent of the URI. The ID of the thing you are trying
to operate on is not affected by any ACL information.
Now, having said that, this is a perfectly valid Absolute ID:
But, of course, not as friendly w/ some caches and search engines. And,
you still have to supply a password (or some authenticating token).
Hope that helps,