Re: sketch of a simple authentication protocol

tor 2008-04-03 klockan 09:55 +0100 skrev Toby A Inkster:

> An additional detail which is missing in your diagramme is: what  
> happens if Romeo's client doesn't send an Agent-Id header (I used  
> HTTP "From" header originally, but it doesn't really matter what the  
> header is called)

In HTTP this usually results in a 401 Unauthorized, asking the requestor
to identify himself..

> or Juliette decides she doesn't trust Romeo.

Thats usually a 401 (identity not trusted, please supply another) or 403
(I know you but do not want to speak to you).

In the response entity or headers you MAY provide additional
information, such as the location of the public profile, just as you MAY
on any response.

I think it in this case can be assumed the requestor already knows the
public profile, no need to redirect back there, and such redirections
only risk resulting in some implementations entering a loop..

Regards
Henrik

Received on Saturday, 5 April 2008 22:38:46 UTC