Ian Hickson wrote: > We need a terminology section that defines these terms so we can use them > in these conversations. > > party A: original server > party B: third-party server, service provider > party U: user, client, user agent, browser > > U visits A, which returns a page that then attempts to communicate with B. > > > On Wed, 13 Feb 2008, John Panzer wrote: > >> What mechanism do you propose clients and servers implement use to >> authenticate users for CSR requests? >> > > HTTP Authentication and/or cookies, like they do now. If the user isn't > logged in, the third-party server would return an error to the client, and > the page from the original server would then redirect the user to the > third-party server (the service provider) to get them to log in. > > > >> Because servers have to implement _something_. Realistic mechanisms >> have to be resistant to distributed brute force attacks even without >> AC4CSR (thank you, Storm Worm). On a side note, I hope that servers >> opting in to CSR would never consider using username/password auth on >> each request. Since it is possible to implement username/password auth >> in ways opaque to browsers ("&u=foo&pass=bar"), perhaps this is worth a >> note in the security section. >> > > The original server shouldn't ever have access to the _user's_ > credentials, certainly. > To try to be more concise: Cookies can (somewhat) prove "I am user X". They can't prove "I authorized this request." I'm concerned about the latter. Don't know if that helps... :)Received on Wednesday, 13 February 2008 22:05:11 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 13 February 2008 22:05:12 GMT