- From: John Franks <john@math.nwu.edu>
- Date: Wed, 28 Aug 1996 17:05:20 -0500 (CDT)
- To: Peter J Churchyard <pjc@trusted.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Wed, 28 Aug 1996, Peter J Churchyard wrote:
> As larry has pointed out, basic for client / server non persistant requests
> is a poor choice.
>
> client - proxy with persistant connection between client and proxy
> when used with one time password systems ( as we do in our product) allows
> sites to authenticate strongly which of their users can do WEB stuff.
>
This sounds interesting. But I am not sure whether you
(1) Authenticate a client only once for a persistent connection,
or
(2) Authenticate each transaction (reusing the password), but use
a new password anytime there is a new connection.
Either would seem possible.
If it is (1) then strictly speaking you are probably not HTTP
compliant since you are essentially making the Proxy-Authorization
header "sticky". But I see no reason that your proxy shouldn't
interoperate with HTTP clients.
If it is (2) then you aren't strictly using one-time passwords, as the
same password is re-used for each transaction, but you should have
essentially all the benefits of one-time passwords.
John Franks Dept of Math. Northwestern University
john@math.nwu.edu
Received on Wednesday, 28 August 1996 15:07:21 UTC