W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: Proposal for new HTTP 1.1 authentication scheme

From: <Eric_Houston/CAM/Lotus@lotus.com>
Date: Tue, 9 Dec 1997 18:13:35 -0500
To: John Franks <john@math.nwu.edu>, Scott Lawrence <lawrence@agranat.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <85256568.007F5E6A.00@mta2.lotus.com>
I don't quite get it...  But it sounds like digest authentication does some
neat stuff.  So is this in common usage?  Do existing servers and browsers
implement this fully?
-e





John Franks <john@math.nwu.edu> on 12/07/97 08:43:59 AM

To:   Scott Lawrence <lawrence@agranat.com>
cc:   Eric Houston/CAM/Lotus, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Subject:  Re: Proposal for new HTTP 1.1 authentication scheme




On Fri, 5 Dec 1997, Scott Lawrence wrote:
>
> Digest authentication already includes a mechanism (the 'domain'
> attribute; see section 3.2.1 of draft-ietf-http-authentication-00) to
> specify that credentials may be used on multiple servers, and through the
> 'digest' attribute allows for mutual authentication.
>
> There is also the model of Kerberos to consider - developing a
> ticket-based authentication scheme (with the advantages and problems of
> any third-party mechanism) would be another area to explore.
>
I believe that the original intent of the "opaque" field in the digest
authentication header may have been precisely for such a ticket.  A
request could be referred to an "authentication server" which would
redirect to a server that could check the ticket in the opaque field
and satisfy the request.  In this way only the authentication server
would need to know all user passwords.  The document servers would
only need to know a single secret shared with the authentication
server.
John Franks
john@math.nwu.edu
Received on Wednesday, 10 December 1997 01:42:06 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:04 EDT