Re: Authentication - with authentication points. from Roy T. Fielding on 1996-02-20 (ietf-http-wg@w3.org from January to March 1996)

From: Roy T. Fielding <fielding@avron.ICS.UCI.EDU>
Date: Tue, 20 Feb 1996 06:41:21 -0800
To: Peter J Churchyard <pjc@trusted.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <9602200641.aa03988@paris.ics.uci.edu>

> Here I present a different mechanism for providing authentication point
> information. This allows WWW-Authenticate to be used by Proxies and
> Gateways to do authentication. I beleive this would remove the need for
> proxy-authenticate which can then be treated as a special case of WWW-Auth.
> It is compatible with current 1.0 practices.

Three observations:

  1) Your proposal is not compatible with current 1.0 practices. 
     It would in fact break all current practice, since it changes
     the syntax of a challenge in an incompatible fashion.

  2) Proxy-Authenticate and Proxy-Authorization are already implemented
     in current practice (see Netscape's proxy).

  3) There is no reason whatsoever for a proxy to authenticate more
     than the immediate connection, and so authentication points
     are not useful.

     Imagine the following transaction

       UA -------> X --------> Y --------> Z --------> OS

     where X, Y, and Z are proxies.  The following is therefore true:

     a) UA is responsible for initiating the request on OS and
        the connection to X.  Therefore, it is reasonable for
        X to demand authentication for the connection and for
        OS to demand authentication for servicing the request.

     b) X is responsible for directing the request via a connection
        to Y.  It is therefore reasonable for Y to authenticate X.
        UA is not even remotely responsible for the the connection
        from X to Y, has no control over that connection, and may
        not even be aware that the connection exists; it is therefore
        impossible for Y to demand authentication of UA.  What is
        possible is that X may handle the demand for credentials by
        relaying a corresponding authentication request to UA,
        which could then send the credentials to X, which in turn would
        send them to Y.  However, it is more likely that X would know
        what the appropriate credentials for accessing Y on behalf
        of X, since that would be a normal relationship in a system
        of hierarchical proxies.

     c) Y is responsible for directing the request via a connection
        to Z.  It is therefore reasonable for Z to authenticate Y.
        Neither UA nor X is responsible for that connection, and therefore
        cannot be authenticated by Z.  As with (b), an authentication
        of Y may be achieved via relay if that is how Y needs to get
        its credentials.

Authentication in HTTP allows the server to ask "Who is responsible for
sending this request?"  For a proxy, the only entity capable of answering
that question is the one that directed the request to that proxy.
For an origin server, the only entity capable of answering that question
is the user that initiated the request.


 ...Roy T. Fielding
    Department of Information & Computer Science    (fielding@ics.uci.edu)
    University of California, Irvine, CA 92717-3425    fax:+1(714)824-4056
    http://www.ics.uci.edu/~fielding/

Received on Tuesday, 20 February 1996 06:45:50 UTC