W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: Proposal for new HTTP 1.1 authentication scheme

From: Scott Lawrence <lawrence@agranat.com>
Date: Thu, 11 Dec 1997 09:24:05 -0500
Message-Id: <199712111424.JAA00855@devnix.agranat.com>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/4903

>>>>> "EH" == Eric Houston:

EH> Two new refinements that I would like to make:

EH> 1) When the content server redirects the request to the authentication
EH> server, it encrypts the ACL for the protected resource.  The authentication
EH> server then validates the user against the (decrypted) ACL

  Whoa - this is authentication, not authorization.  The purpose is to
  provide a trustable identity for the end user without exposing the
  means of doing so to the world, not to do access control.  Access
  control depends on authentication, but authentication does not
  include access control.  I believe that any discussion of ACLs is
  out of scope for this specification.

Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/
Received on Thursday, 11 December 1997 06:26:02 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:21 UTC