- From: Mary Ellen Zurko <zurko@osf.org>
- Date: Wed, 22 Mar 95 12:03:14 EST
- To: Owen Rees <rtor@ansa.co.uk>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, Me <zurko@osf.org>
Hi Owen, > The credentials are authorization information; "This request is from <username> > who claims the right to access <requested-uri> in <realm>" I'm not sure I see what sense you consider this authorization information. As I pointed out, even clear authentication information is an input to authorization decisions, so it's not incorrect to call even the digest "information for the authorization decision". It does, however, confuse people to call either the digest or the credentials (in this case) simply "authorization information". The credentials do not drive the authorization decision the way capabilities (or, if I dare, ANSA credentials :-) drive authorization decisions. They're not emitted and protected by a trusted authority; they don't (usually) grant authorization by their very existance. What they do is tie the request (at some level) to the authentication information. Both the request (method and URI) and the authentication information (username and realm; the realm is strictly for authentication I believe) are necessary for the authorization decision. But, I would argue (I do argue :-), the information that drives the authorization decision is more likely to be a database like the .htaccess file (or a separately passed capability or ANSA-like credential, vouched for by an appropropriate authorization authority). Mez
Received on Wednesday, 22 March 1995 09:58:57 UTC