- From: Peter J Churchyard <pjc@trusted.com>
- Date: Sun, 21 Jan 1996 18:39:49 -0500 (EST)
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
As a firewall developer I see the Digest Access Authentication mechanism a useful construct. I would like to see some additional but compatible functionality added to the proposal to do with proxy-authentication. I would like to see an explicit definition as how it may be used with proxy-authenticate. Proxy authenticate currently does not handle nestsed firewalls very well since the first proxy should strip out the proxy-auth stuff (:-< With the addition of an authentication point parameter, a proxy could then strip only the proxy-auth lines that are applicable to it. This would allow nested authentication. One drawback of nested authentication is the shuttling of requests back and forward between client and proxies. This is best seen if you consider what happens if the proxies don't allow re-use. client -> proxy proxy says 407 proxy-auth... client ->proxy->server proxy happy, but server wants auth as well. client ->proxy proxy says 407 again since previous auth is nolonger valid. client-proxy->server client finally gets data. A simple scheme to get around this is to allow servers and proxies to piggyback the next challenge to the current response.. This is purely an optimisation but makes the whole process work. I have experience with this form of auth technique since I implemented APOP as part of our firewall product. Pete. -- The TIS Network Security Products Group has moved! voice: 301-527-9500 x123 fax: 301-527-0482 2277 Research Boulevard, 5th Floor, Rockville, MD 20850
Received on Sunday, 21 January 1996 15:41:44 UTC