W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

RE: Proposal for new HTTP 1.1 authentication scheme

From: <Eric_Houston/CAM/Lotus@lotus.com>
Date: Wed, 17 Dec 1997 10:57:23 -0500
To: Paul Leach <paulle@microsoft.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Cc: jg@pa.dec.com
Message-Id: <85256570.005672FA.00@mta2.lotus.com>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/4992
>>>>> "PL" == Paul Leach
>>>>> "EH" == Eric Houston

PL> (Personally, I don't see why the content server can't evaluate the ACL
PL> itself.
The goal is to separate the directory server from the content server; do
not replicate
 the directory onto the content server; do  not use LDAP for authentication
OR authorization
(on the back end).  Do authentication and authorization on the
"authentication/authorization" server.  When
visitors are registered on your site, they are instantly "registered"
(authorized) on all content
servers because there is only one authentication/authorization server.
EH> 2) Could re-directed authentication be layered on top of the existing
EH> schemes so that it could be used with basic, digest, and X.509?
PL> Re-directed authentication is totally transparent to the client, so
PL> about "on top of existing schemes" is not meaningful.
The point is, regardless of the scheme, to separate the directory services
from the content services.
Can webmake this authentication/authorization protocol generic enough to
(optionally) use X.509 certs?
If that is possible, I don't want to require them to be on the content

Eric Houston
Received on Wednesday, 17 December 1997 08:09:34 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:21 UTC