W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1995

Digest Access Authentication proposal - "Authorization"

From: Mary Ellen Zurko <zurko@osf.org>
Date: Wed, 22 Mar 95 9:44:26 EST
Message-Id: <9503221444.AA18900@link.osf.org>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Cc: Me <zurko@osf.org>
It seems that from the start of WWW security, the terms authentication
and authorization have been used in ways that obfuscate the difference
between them. The DAA proposal carries on that grand tradition, but
I'd like to suggest that we get some clarity in the terms, and
propagate it. Authentication is the process of proving
identity. Authorization is the process of deciding if a request will
be honored. Authorization often uses authentication information
(proven identity). Authorization also uses other information, such as
user attributes, object attributes, contextual information, and, most
familiarly, a database associating requests and objects with user
identities (or user attributes). That's files like .htaccess.

As far as I can see, the item called the "Authorization" header in the
DAA proposal just contains authentication information, tightly coupled
to the request it's associated with (authentication information that
isn't tightly coupled with a request is often not useful). The
protocol does authentication, in support of authorization, but does
not necessarily determine where authorization happens. For example, a
server doing authentication for another can redirect, sending it's
stamp of approval on the authentication information in the opaque
field, and the target server could do the actual authorization, based
on the verified authentication.

So, if my plea is compelling, I'd like to see every reference to the
word "authorization" in the DAA proposal excised (except for the
"Unauthorized" status; that's a given). Also, the example conflates
the two by implying that there's a single username and password "for"
a document. It should say that that username/password has authorized
access to the document.

	Mez
Received on Wednesday, 22 March 1995 06:53:23 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:14 EDT