W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

RE: Proposal for new HTTP 1.1 authentication scheme

From: <Eric_Houston/CAM/Lotus@lotus.com>
Date: Wed, 17 Dec 1997 10:57:23 -0500
To: Paul Leach <paulle@microsoft.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Cc: jg@pa.dec.com
Message-Id: <85256570.005672FA.00@mta2.lotus.com>
>>>>> "PL" == Paul Leach
>>>>> "EH" == Eric Houston

PL> (Personally, I don't see why the content server can't evaluate the ACL
PL> itself.
PL>
The goal is to separate the directory server from the content server; do
not replicate
 the directory onto the content server; do  not use LDAP for authentication
OR authorization
(on the back end).  Do authentication and authorization on the
"authentication/authorization" server.  When
visitors are registered on your site, they are instantly "registered"
(authorized) on all content
servers because there is only one authentication/authorization server.
EH> 2) Could re-directed authentication be layered on top of the existing
EH> schemes so that it could be used with basic, digest, and X.509?
EH>
PL> Re-directed authentication is totally transparent to the client, so
talking
PL> about "on top of existing schemes" is not meaningful.
PL>
The point is, regardless of the scheme, to separate the directory services
from the content services.
Can webmake this authentication/authorization protocol generic enough to
(optionally) use X.509 certs?
If that is possible, I don't want to require them to be on the content
server...

Eric Houston
Received on Wednesday, 17 December 1997 08:09:34 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:05 EDT