Loading ...
Sorry, an error occurred while loading the content.

W3C Note - User Agent Authentication FORM elements

Expand Messages
  • S. Mike Dierken
    Hey - I just found out there was a note back in 1999 about using HTML forms to do authentication. I haven t read it fully, but this is one of my pet peeves
    Message 1 of 49 , Jan 30, 2003
    • 0 Attachment
      Hey - I just found out there was a note back in 1999 about using HTML forms
      to do authentication.
      I haven't read it fully, but this is one of my pet peeves with HTTP and the
      'visual Web' - no visibility of security information in messages. (leading
      to sessions, cookies, wacky urls, etc.)

      ===
      http://www.w3.org/TR/1999/NOTE-authentform-19990203

      [...]
      This proposal suggests extensions to HTML forms to overcome their present
      security problems by integrating them with HTTP (or other security sublayer)
      mechanisms. It calls for a new type of form; the AUTHFORM and new values for
      the TYPE attribute of the INPUT element and SELECT block.
      [...]
    • Seth Ladd
      ... I don t believe it is. The identity of a thing shouldn t be coupled to any Access Control List information I have about that thing. Another reason: try to
      Message 49 of 49 , Mar 22, 2003
      • 0 Attachment
        S. Alexander Jacobson wrote:
        > I'm sorry. I was waayy too strident (too little
        > sleep).
        >
        > Anyway, the question remains: Is it RESTful for
        > resources to be parametrized by authentication
        > information?


        I don't believe it is. The identity of a thing shouldn't be coupled to
        any Access Control List information I have about that thing.

        Another reason: try to write RDF statements about a bank account, where
        that bank account is identified in a relative way.

        Relative ID: http://example.bank.com/account

        You can't write anything about that account because to truely identify
        it, you need ACL information. And in the HTTP world, the authentication
        is done outside the URI.

        If you had an absolute ID for a bank account, then you can actually say
        things about it.

        Absolute ID: http://example.bank.com/account/12345

        Then, this becomes possible (in RDF):

        <bank:Account rdf:about="http://example.bank.com/account/12345">
        <bank:ownedBy rdf:resource="http://example.com/person/88888"/>
        <bank:balance>$1,334.23</bank:balance>
        </bank:Account>

        You can't do the above w/ the Relative ID. All the RDF statements would
        end up saying that *everyone* owns account http://example.bank.com/account.

        This is all true, because HTTP's authentication is done at the protocol
        level, and independent of the URI. The ID of the thing you are trying
        to operate on is not affected by any ACL information.

        Now, having said that, this is a perfectly valid Absolute ID:

        http://example.bank.com/account?owner_id=88888

        But, of course, not as friendly w/ some caches and search engines. And,
        you still have to supply a password (or some authenticating token).

        Hope that helps,
        Seth
      Your message has been successfully submitted and would be delivered to recipients shortly.