Re: User credential passing standard

Neil Gulati <ngulati@scu.edu.au> writes:

> Dear All,
> 
> > You didn't mention if the servers are in the same Domain.  If they are then
> > using a combination of Domain cookies and a common authentication server to
> > your servers would probably do the trick.
> 
> I hope this is not too far off the subject of a *STANDARD*...
> at least it is coming from the working end of the matter.
> 
> I am about to extend mod_auth_cookie for apache to use encrypted cookies for one domain only.
> We already use kerberos authentication so mod_auth_cookie_crypt (whatever) will work with it.

The way I understand mod_auth_cookie is that it just provides another way
to obtain a username and static passwd. This username and static passwd
_still_ must be validated somehow. I guess you just want to have this data
encrypted while its on the wire. You could use SSL and get them same
results.

This really isn't what I mean by credential sharing. What I mean is passing
a user id and other credentials from server to server, such that the
servers will _trust_ these credentials to be true.

> Trouble is, I don't even understand apache configuration (*YET*).
> I would also like to support the progress of apache.
> If I can write the module to conform to any likely standard, I will.
> I am also going to have a look at using PGP (which I will have a learning curve with too).

Do you plan on releasing this module? IMHO requiring proprietay software
would be a bad idea. As well as requiring any patented alorithms. AFAIK PGP 
cannot be used as an SDK either.

Why do you want to use public key? Why not DES or something similar? This
makes the trust model much ... err ... umm ... better.

> 
> Can *ANYONE* help me with good URLs to look at or *ANY* information at all?

http://www.apache.org/ would be a good start. And perhaps
http://www.d.shuttle.de/isil/gnupg/ if you are truely bent on using PGP.

-Tom

Received on Tuesday, 20 April 1999 13:20:39 UTC