Re: OT re HTTP auth disassocation of credentials
Yutaka OIWA <y.oiwa <at> aist.go.jp>
2011-10-04 09:02:27 GMT
(added http-auth mailing list, responses preferred to this list)
recently some browser vendors are trying incorporating authentication
control with the browser's identity management mechanisms, and they
it may just work for you. I think this trend may allow us a small icon
for authentication control, hopefully.
I am working from a bit different viewpoint, making HTTP authentication
support more features which is currently only available via Form-based
authentications, not limited to log-out control.
My proposal is currently in a part of my new HTTP authentication scheme
draft (draft-oiwa-http-mutualauth-09), and I am planning to make it
a separate draft in the next revision.
I put "pre-draft" on our Web page at
(or < https://bit.ly/o3MDq4 > if line wrapping is nasty), and I will submit -00
draft possibly before the Taiwan meeting.
Again, it may be over-engineered for log-out only, but please have a look,
and if you're going to or wish to extend HTTP, it may serve for your needs.
On 09/20/11 06:28, Adrien de Croy wrote:
> I think it would me more useful if it could be controlled from the server.
> Hence a status or header.
> However, for browser vendors, since finding screen real-estate is such a
> problem, an approach could be taken similar to the one used to show that a
> sight is using TLS and to see certificate information. E.g. a small icon
> showing that the request is authenticated, which could then give details of the
> method, and an option to log out.
> On 20/09/2011 12:43 a.m., Karl Dubost wrote:
>> Le 19 sept. 2011 à 02:37, Jan Algermissen a écrit :
>>> FWIW I'd rather see browsers put a logout-button right in the browser GUI.
>>> The button could simply cause the browser to stop sending the credentials.
>> As much as I could see the benefit for it. I do not think this will fly for
>> browser vendors. They are all currently trying to simplify the UI and
>> minimize it. There is also the balance in between introducing a new UI
>> feature with the number of times this (HTTP Auth) will be used. For example,
>> Firefox removed the RSS icon (by default).
>> PS: not advocating for any sides of the issue.