- From: John Franks <john@math.nwu.edu>
- Date: Sun, 7 Dec 1997 07:43:59 -0600 (CST)
- To: Scott Lawrence <lawrence@agranat.com>
- Cc: Eric_Houston/CAM/Lotus@lotus.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Fri, 5 Dec 1997, Scott Lawrence wrote: > > Digest authentication already includes a mechanism (the 'domain' > attribute; see section 3.2.1 of draft-ietf-http-authentication-00) to > specify that credentials may be used on multiple servers, and through the > 'digest' attribute allows for mutual authentication. > > There is also the model of Kerberos to consider - developing a > ticket-based authentication scheme (with the advantages and problems of > any third-party mechanism) would be another area to explore. > I believe that the original intent of the "opaque" field in the digest authentication header may have been precisely for such a ticket. A request could be referred to an "authentication server" which would redirect to a server that could check the ticket in the opaque field and satisfy the request. In this way only the authentication server would need to know all user passwords. The document servers would only need to know a single secret shared with the authentication server. John Franks john@math.nwu.edu
Received on Sunday, 7 December 1997 05:31:57 UTC