Also, is this going to handle the case when a website needs to send notifications to a user? There are a lot of cases when a website needs to notify the user of an event (for example when a user receives a message from another user) which is why many websites ask for the email address of the user and also ask them to verify it (which is quite annoying to most users). I came across so many websites on the internet that allow users to sign in using an identity provider (like facebook, twitter, google, openid .. etc — esp. using services like RPX and gigya), then ask the user to enter their email address after they sign in with the identity provider, which makes the whole thing useless.

The whole point of all this is to avoid having to register at every website. I mean, if the website won't get the information it requires to provide its service, and the user will be asked to provide additional information, then what's the point in using this feature in the first place?

I have checked the proposed specification draft but I didn't find anything about this (I haven't read the whole specification, so hopefully I didn't miss anything). Are there any plans to support this case in the specification esp. that it's extremely common on a lot of websites?

Thanks,
Wal

Our goal is also to create a standard user experience for all ways of "connecting" to a website, to enable the smooth rollout of systems other than password systems. Federated login systems like OpenID, or certificate based systems, could also use the infrastructure we describe.

There is also SRP: http://www.ietf.org/rfc/rfc2945.txt

…but I don't know of any defined way to use SRP with HTTP.

Probably the ideal solution would be some hybrid of SRP and Kerberos that incorporates SRP's strong mutual authentication with Kerberos' system of service tickets, requires no storage of any user-key-equivalents on the server, and cuts the HTTP authentication handshake down to the minimum possible number of steps. One can dream…

It is supported in browsers going back to, and including, IE6: http://msdn.microsoft.com/en-us/library/ms995329….

This won't be as easy to implement as what most consumer websites are doing currently, but then again, most of those websites are sending passwords and sensitive session cookies around in the clear (unless they pay for a CA-signed certificate and use SSL encryption).

Anyone already using Kerberos, which is free software actively maintained by MIT, would be able to use this method. This includes the huge install base of large organizations using Active Directory (which uses Kerberos under the hood).

The Kerberos Consortium has, in fact, already put quite a bit of work into enabling exactly this kind of account manager, and created an API for the express purpose of building one: http://www.kerberos.org/events/Board-12-11-07/4-E…

There are a number of worthy authentication protocols that a browser could support in the way you're describing in this article. More than one should be supported. There are good technical reasons for each. For example, the type of authentication factor makes a difference (eg password, "something you know" vs certificate, "something you have").

I urge you to consider kerberos as a protocol worthy of building on for the account manager.