Re: APOP - authentication.. from Peter J Churchyard on 1996-02-20 (ietf-http-wg@w3.org from January to March 1996)

From: Peter J Churchyard <pjc@trusted.com>
Date: Tue, 20 Feb 1996 12:23:26 -0500 (EST)
To: "Roy T. Fielding" <fielding@avron.ICS.UCI.EDU>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <9602201723.AA07443@hilo.trusted.com>

Hi roy having a bad day?

There are many reasons why your comments on authentication points, transfer
codings etc are wrong..

authentication is used to bind a request to a user. This binding has many
uses. In a chain of proxies/gateways, you cannot have a proxy take
responsibility for a user.. The binding has to be back to the user
directly.

One of the goals is to NOT continually invent silmiliar but incompatible
protocols. The dot stuffing mechanism is well understood, simple to implement
and has stood the test of time.. The lack of canonical EOL's in http's 
pseudo MIME text types makes it a bit more ugly than needed.

The chunking proposal states how the path is 8bit then goes on to use text
numbers to represent length... well that is endian independent. A two or
three byte header isn't as much an overhead.

Ok don't beleive Netscapes documentation about being a draft standard..


> 
> > This document describes a simple authentication scheme for http that uses
> > the APOP mechanism as defined in RFC1725 Post Office Protocol - Version 3.
> 
> It appears to be a weak subset of the Digest authentication mechanism
> already proposed and implemented on many HTTP systems.  I don't see
> any reason why APOP can't be mapped into Digest and thus save the client
> from having to know more AA schemes than are necessary.

Various digest proposals have been proposed as weak subsets of SHTTP..
APOP is an existing standard. APOP provides a strong binding as any of
a request and a user. Ideal for auditing which is one of the bigest demands
we see of the use of a proxy. The protocol needs to be simple and
fast since every request is going to require processing.

Once the conection maintain stuff is widely implemented the initial
client to first proxy hop can in most cases be done with a single 
handshake that doesn't even need to be any of the existing mechanisms since 
it can be done through a FORM etc...

Just because things work, doesn't mean that they shouldn't be used.

 
Pete.
> 
> 
>  ...Roy T. Fielding
>     Department of Information & Computer Science    (fielding@ics.uci.edu)
>     University of California, Irvine, CA 92717-3425    fax:+1(714)824-4056
>     http://www.ics.uci.edu/~fielding/
> 


-- 
The TIS Network Security Products Group has moved!
voice: 301-527-9500 x123 fax: 301-527-0482
2277 Research Boulevard, 5th Floor, Rockville, MD 20850

Received on Tuesday, 20 February 1996 09:31:21 UTC