On Fri, 5 Dec 1997, Scott Lawrence wrote: > > Digest authentication already includes a mechanism (the 'domain' > attribute; see section 3.2.1 of draft-ietf-http-authentication-00) to > specify that credentials may be used on multiple servers, and through the > 'digest' attribute allows for mutual authentication. > > There is also the model of Kerberos to consider - developing a > ticket-based authentication scheme (with the advantages and problems of > any third-party mechanism) would be another area to explore. > I believe that the original intent of the "opaque" field in the digest authentication header may have been precisely for such a ticket. A request could be referred to an "authentication server" which would redirect to a server that could check the ticket in the opaque field and satisfy the request. In this way only the authentication server would need to know all user passwords. The document servers would only need to know a single secret shared with the authentication server. John Franks john@math.nwu.eduReceived on Sunday, 7 December 1997 05:31:57 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:16:28 UTC