- From: <Eric_Houston/CAM/Lotus@lotus.com>
- Date: Wed, 17 Dec 1997 10:57:23 -0500
- To: Paul Leach <paulle@microsoft.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
- Cc: jg@pa.dec.com
>>>>> "PL" == Paul Leach >>>>> "EH" == Eric Houston PL> (Personally, I don't see why the content server can't evaluate the ACL PL> itself. PL> The goal is to separate the directory server from the content server; do not replicate the directory onto the content server; do not use LDAP for authentication OR authorization (on the back end). Do authentication and authorization on the "authentication/authorization" server. When visitors are registered on your site, they are instantly "registered" (authorized) on all content servers because there is only one authentication/authorization server. EH> 2) Could re-directed authentication be layered on top of the existing EH> schemes so that it could be used with basic, digest, and X.509? EH> PL> Re-directed authentication is totally transparent to the client, so talking PL> about "on top of existing schemes" is not meaningful. PL> The point is, regardless of the scheme, to separate the directory services from the content services. Can webmake this authentication/authorization protocol generic enough to (optionally) use X.509 certs? If that is possible, I don't want to require them to be on the content server... Eric Houston
Received on Wednesday, 17 December 1997 08:09:34 UTC