W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997


From: Marc Salomon <mes@slip.net>
Date: Tue, 25 Nov 1997 08:05:09 -0800 (PST)
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.GSO.3.96.971125080007.29925B-100000@slip-3>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/4816

Recycling existing authentication techniques, a server can change the
realm under which a namespace is protected over time while authenticating
against the same credentials.  After the server timed out authorization,
it could challenge a client against a different realm over the same
PATH_INFO namespace (the realm perhaps corresponding to
$domain.$timestamp) and force verifiable reauthentication. 

Only the most reckless clients would try to guess that a set of distinct
realms over the same namespace were "similar"  enough to reuse
credentials.  Sloppy clients could make a much safer bet and reuse
credentials for the same realm, same namespace case, effectively ignoring
the proposed message.  I experimented with this a few years ago with
Mosaic and Netscape (v <= 2.0) and I recall that they both stacked up
realms and would send as many authorization responses as realms

The implementation costs on the server side would be only slightly more
expensive than keeping enough state to know when to send a

Received on Tuesday, 25 November 1997 08:08:31 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:21 UTC