W3C home > Mailing lists > Public > www-talk@w3.org > March to April 1999

Re: user credential passing standard

From: <tvaughan@aventail.com>
Date: Thu, 15 Apr 1999 13:46:22 -0400 (EDT)
To: "Nottingham, Mark (Australia)" <mark_nottingham@exchange.au.ml.com>
Cc: www-talk@w3.org
Message-ID: <7qk8vd22vx.fsf@rehab.in.aventail.com>
Interesting. Thanks. Perhaps I should elaborate.

What I am interested to know is, is there a (proposed) standard way to share 
user credentials among servers (within or not within the same domain) who
do *not* share a common authentication back-end, but yet who *do* share a
common user population?

For example, let's say I have a reverse proxy that can authenticate users
via challenge-response to a RADIUS server. And the origin server is a
web server, with some CGI script that talks to a database. But this CGI
script needs a user id to do what it does. This CGI script *could* do Basic 
or Digest Auth to get this user id, or the reverse proxy *could* send a user
id to the origin server.

My thinking was that perhaps the reverse proxy could send this user id as
an encrypted cookie. And the trust relationship between the servers would
be established by the sharing of the private key.

I guess the proposed Digest Auth solution could be made to work, but that
would require a shared secret on a per-user, not per-server basis, and
would not allow the user credentials to contain anything other than a user
id, like group memebership - provided I understand this correctly.

Or is this too unique a situation to bother other people about? What
motivated you to ask this question?

Much Thanks,

"Nottingham, Mark (Australia)" <mark_nottingham@exchange.au.ml.com> writes:

> I asked a similar question on HTTPwg a while back, and got a few interesting
> responses. Check the mailing list.
> Probably the best is from Jim Gettys:
> >The revised digest authentication can be implemented to allow cross server 
> >sharing of authentication information (without the danger of stealing 
> >of one header allowing access to other servers), which should solve this 
> >problem (without the kluding of using a proxy to do the translations).
> >
> >The back end servers can communicate among themselves the authentication
> >information with whatever protocol is appropriate (e.g. Kerberos).
> >
> >This was one of the major flaws in RFC2069, and is being fixed in
> >the revision.  Paul Leach had the idea that makes this feasible
> >after 2069 was issued.
> >
> >Please look at a current draft of the revision to see the details.
> Digest auth definately has this capability, and is (more) secure.
> Unfortunately, there still aren't many browsers who support Digest (haven't
> checked with the latest, but if any of your users use even moderately old
> ones, you're out of luck).
> Hope this helps,
> > -----Original Message-----
> > From: tvaughan@aventail.com [mailto:tvaughan@aventail.com]
> > Sent: Thursday, April 15, 1999 4:23 AM
> > To: www-talk@w3.org
> > Subject: user credential passing standard
> > 
> > 
> > Is there a standard way to pass user credentials from one web 
> > server/proxy
> > to another web server/proxy? Like encrypted cookies or something.
> > 
> > -Tom
> > 

Tom Vaughan <tvaughan at aventail dot com>
Received on Thursday, 15 April 1999 16:39:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:33:01 UTC