[Ietf-http-auth] Whay is caldav special?

[Scott Lawrence]

On Mon, 2005-11-07 at 15:44 -0800, RL 'Bob' Morgan wrote:
> On Fri, 30 Sep 2005, Jeffrey Altman wrote:
> 
> > Then let's start a list of the reasons why sites use forms instead of 
> > HTTP AUTH:

> > * Using forms places all of the control in the hands of the web site
> >  designer.  The choice of web server, its support for HTTP
> >  authentication, and the APIs to access it can be abstracted out of
> >  the equation.
> 
> This is I think the really big one.  Apps deployers like the web because 
> web pages can be whatever they want to be.  A institutional "weblogin" 
> page can have links to helpdesk info, institutional branding, hooks to 
> things like virus checkers, info about what SSO means, etc.  Or, the login 
> form can be just a part of an app site's main info-rich front page, as it 
> is for most corporate sites these days.
> 
> Now it's true that these pages could replace the username/password fields 
> in these forms with a button that would invoke basic or digest, and still 
> get the benefit of all the web page content.  But I think sites would 
> regard this as a step backwards in a couple of ways.  One is that they 
> regard the browser-popped-up username/password dialog as being an inferior 
> (or at least less site-controlled) user experience (in fact I think a case 
> could be made that most web site designers would prefer never to have 
> browser-controlled UI in the user experience if possible ...).  The other 
> is that they strongly prefer cookies for authentication state maintenance 
> rather than http-auth's replay methods, again because the web site has 
> control over the cookies.

Tried to fix that one years ago...
  http://www.w3.org/TR/1999/NOTE-authentform-19990203

-- 
Scott Lawrence  tel:+1-781-938-5306;ext=162 or sip:slawrence at pingtel.com
  Consulting Engineer - Pingtel Corp.  http://www.pingtel.com/
  sipXpbx project coordinator - SIPfoundry  http://www.sipfoundry.org/sipX