Authentication, security requirements from Jim Whitehead on 1996-09-24 (w3c-dist-auth@w3.org from July to September 1996)

From: Jim Whitehead <ejw@ics.uci.edu>
Date: Tue, 24 Sep 1996 19:17:16 -0400
To: w3c-dist-auth@w3.org
Cc: ejw@ics.uci.edu
Message-Id: <ae6e15a206021004ad69@[128.59.24.33]>

Here is my initial attempt at writing down the requirements that
distributed authoring and versioning have for authentication and security.
My intent here is to come to an understanding of what features we need so
we can see what other technologies best provide these features.  My current
opinion is that this group should not concern itself with developing a new
authentication or secure transmission scheme, but use the best existing
technology that meets our requirements.

Authentication.  It should be possible to guarantee that a given HTTP
message comes from a particular person.

When writing a document, it is necessary to check that the person writing
the document has write permission.  In most access control schemes, this
involves taking the name of the person and performing a lookup in an access
control table or determining membership in an access control list.
Checking access control permissions requires knowledge that the person
requesting the action is, in fact, who they say they are.  Similar problems
result when performing a checkout, a checkin, or taking out a lock, which
require checking for permission to perform the operation, and storing the
name of the person who requested the operation.

The HTTP/1.1 protocol, in section 11, "Access Authentication," provides a
framework which can be used by many different authentication schemes.


Secure transmission.  It should be possible to write either a full or
partial resource so there is a reasonable guarantee the contents will be
private during transit.

Transmitting a resource over the network in its native format opens up the
possibility that a third party could snoop network packets and recreate the
contents of the resource.  This is clearly undesirable in a wide variety of
contexts.  There is a need to ensure that people using remote authoring can
do so with reasonable confidence they are not compromising their
information.

** Is this capability provided by SSL?


I welcome your feedback, especially if you feel I have missed any key
requirements.

- Jim

Received on Tuesday, 24 September 1996 20:11:42 UTC