- From: Dave Kristol <dmk@allegra.att.com>
- Date: Wed, 26 Jul 95 15:30:08 EDT
- To: hallam@w3.org
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
"Phillip M. Hallam-Baker" <hallam@w3.org> wrote: > Concerning the tying of the username to the realm, this was a deliberate = > choice > on my part. If a user has the same username/password on multiple machines= > a > system manager at one site could obtain access to the other if there was > nothing to differentiate them. Its a realm name and not the server name t= > o > permit multiple servers to share the same authentication data. What is mi= > ssing > is the requirement that the realm name should be an INTERNIC reserved one= > , eg > we could use w3.org or blink.w3.org. I think this prevents collisions in = > the > desired manner. [...] I'm obviously missing something here concerning realms. I've seen realms used: 1) As a name in Web servers, to distinguish separately protected domains of information. 2) As a component of the WWW-Authenticate response header. 3) As the prompt from a Web broswer for a user to authenticate him/herself. I've argued (unsuccessfully, so far) that (1) and (3) should be separated. Now Phillip seems to suggest that the realm should be something the INTERNIC registers. I don't understand why. The client knows the server it connected to, so presumably it can distinguish realm R on server S1 from realm R on server S2. If he's arguing that the server name should be incorporated in the Digest method hash, in addition to the realm, that's reasonable, provided both client and server agree on what that name is. Dave Kristol
Received on Wednesday, 26 July 1995 12:38:22 UTC