On Fri, Nov 6, 2009 at 12:16 PM, Eran Hammer-Lahav <eran at hueniverse.com> wrote: > The "Basic auth alternative" would be a single request flow with shared > secret (either symmetric or asymmetric). I am not sure how the flow below > applies (when compared to Basic auth). I don't think a basic auth flow based on a single secret is all that interesting, or even possible to implement. The problem is how you bootstrap the secret. Is the secret the user's password? That doesn't work with any well-designed password authentication system (See [1]). It won't get deployed. Is the secret a session cookie? That could work, but you need an answer for bootstrapping the session cookie. Is the secret an OAuth token? That could also work, but you still need an answer for bootstrapping the token. I think RSA is one of many possible answers to the bootstrapping problem. Ideally we'll have a bunch of different ways to bootstrap a session secret, and then using the session secret will be easy. Cheers, Brian [1] http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.