W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1995

Re: Protecting heirarchies

From: Brian Behlendorf <brian@wired.com>
Date: Sun, 9 Apr 1995 21:29:22 -0800 (PST)
To: Gavin Nicol <gtn@ebt.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.BSD.3.91.950409212049.6752Z-100000@get.wired.com>

Two issues:

1) I've seen other situations where "double-authentication" for a given 
object could be desired - consider it analogous to having two dead-bolt 
locks on your front door.  I'd support some way of doing this that can be 
applied for any new form of authentication we dream up (MD5 digesting, 
SHTTP, etc).

2) If root, directory1, and directory2 were all separate Realms with 
separate password files, then essentially you want all authentication 
info up front (if starting at directory 2 and working back) rather than 
only getting the pair at each level.  I could see this as a security hole 
for the Basic scheme at least, given that people in one Realm shouldn't 
be given the authentication information that another Realm needs.  

	Brian

p.s. - in the future, name/password combos will be stored in encrypted 
form on your Digicash Smart Card which you always keep with you, so you 
may never need to type your password ever more than once.  Wheee!


On Mon, 10 Apr 1995, Gavin Nicol wrote:
> Hi. One thing I've been thinking about recently is security. I would
> like to be able to assign different passwords to different levels of
> a heirarchy, and to have the clearances be cumultive:
> 
>   <root>   Basic foo:bar
>      |
>      +----- <directory1>  Basic grok:baz
>                 |
>                 +----- <directory2> Basic foo:pax
> 
> where to get to directory2 via a URL you'd do something like:
> 
>    root/directory1/directory2
> 
> What I want is:
> 
>    1) To get to directory2, you need all the name+password pairs
>    2) That when you move back up, you don't need to reauthenticate
> 
> This isn't directly related to HTTP, but is rather a server-side
> issue. I was wondering is anyone has done this?
> 
>      
> 

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@hotwired.com  brian@hyperreal.com  http://www.hotwired.com/Staff/brian/
Received on Sunday, 9 April 1995 22:34:58 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:15 EDT