pantagruel wrote:

> Hi,
>
> I am reading over a governmental security specification that applies
> to a type of governmental knowledge management application that is
> invariably ran over https.
> According to the specification it supposes that login to the
> application will be done by using the users login to their operating
> system, invariably assumed to be Windows.


No, this invariably assumes NTLM authentication which is not just limited to
Windows, but is not a part of the HTTP specification.

> Anyway I guess the main thing irritating me about this spec is it
> seems to assume that have authentication done automatically by using
> the OS authentication is inherently more secure than other methods.


It is. A mandatory authentication which pretty much shields the credentials
from being abused by the user or being entered into a spoofed dialogue.