W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: Where should Digest go next.

From: Peter J Churchyard <pjc@trusted.com>
Date: Sun, 21 Jan 1996 18:39:49 -0500 (EST)
Message-Id: <9601212339.AA18935@hilo.trusted.com>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
As a firewall developer I see the Digest Access Authentication mechanism a
useful construct. I would like to see some additional but compatible 
functionality added to the proposal to do with proxy-authentication.

I would like to see an explicit definition as how it may be used with 
proxy-authenticate. Proxy authenticate currently does not handle nestsed
firewalls very well since the first proxy should strip out the proxy-auth
stuff (:-<

With the addition of an authentication point parameter, a proxy could then
strip only the proxy-auth lines that are applicable to it. This would allow
nested authentication.

One drawback of nested authentication is the shuttling of requests back and
forward between client and proxies. This is best seen if you consider what 
happens if the proxies don't allow re-use.

	client -> proxy     proxy says 407 proxy-auth...

	client ->proxy->server
			    proxy happy, but server wants auth as well.

	client ->proxy	   proxy says 407 again since previous auth is nolonger
			   valid.
	client-proxy->server
			    client finally gets data.

A simple scheme to get around this is to allow servers and proxies to
piggyback the next challenge to the current response..

This is purely an optimisation but makes the whole process work. 

I have experience with this form of auth technique since I implemented
APOP as part of our firewall product.

Pete.
-- 
The TIS Network Security Products Group has moved!
voice: 301-527-9500 x123 fax: 301-527-0482
2277 Research Boulevard, 5th Floor, Rockville, MD 20850
Received on Sunday, 21 January 1996 15:41:44 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:43 EDT