W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: Proposal for new HTTP 1.1 authentication scheme

From: John Franks <john@math.nwu.edu>
Date: Sun, 7 Dec 1997 07:43:59 -0600 (CST)
To: Scott Lawrence <lawrence@agranat.com>
Cc: Eric_Houston/CAM/Lotus@lotus.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.LNX.3.95.971207073832.30159B-100000@hopf.math.nwu.edu>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/4852
On Fri, 5 Dec 1997, Scott Lawrence wrote:

> Digest authentication already includes a mechanism (the 'domain'
> attribute; see section 3.2.1 of draft-ietf-http-authentication-00) to
> specify that credentials may be used on multiple servers, and through the
> 'digest' attribute allows for mutual authentication.  
> There is also the model of Kerberos to consider - developing a
> ticket-based authentication scheme (with the advantages and problems of
> any third-party mechanism) would be another area to explore.

I believe that the original intent of the "opaque" field in the digest
authentication header may have been precisely for such a ticket.  A
request could be referred to an "authentication server" which would
redirect to a server that could check the ticket in the opaque field
and satisfy the request.  In this way only the authentication server
would need to know all user passwords.  The document servers would
only need to know a single secret shared with the authentication

John Franks
Received on Sunday, 7 December 1997 05:31:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:16:28 UTC