- From: <Eric_Houston/CAM/Lotus@lotus.com>
- Date: Tue, 9 Dec 1997 18:13:35 -0500
- To: John Franks <john@math.nwu.edu>, Scott Lawrence <lawrence@agranat.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
I don't quite get it... But it sounds like digest authentication does some neat stuff. So is this in common usage? Do existing servers and browsers implement this fully? -e John Franks <john@math.nwu.edu> on 12/07/97 08:43:59 AM To: Scott Lawrence <lawrence@agranat.com> cc: Eric Houston/CAM/Lotus, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com Subject: Re: Proposal for new HTTP 1.1 authentication scheme On Fri, 5 Dec 1997, Scott Lawrence wrote: > > Digest authentication already includes a mechanism (the 'domain' > attribute; see section 3.2.1 of draft-ietf-http-authentication-00) to > specify that credentials may be used on multiple servers, and through the > 'digest' attribute allows for mutual authentication. > > There is also the model of Kerberos to consider - developing a > ticket-based authentication scheme (with the advantages and problems of > any third-party mechanism) would be another area to explore. > I believe that the original intent of the "opaque" field in the digest authentication header may have been precisely for such a ticket. A request could be referred to an "authentication server" which would redirect to a server that could check the ticket in the opaque field and satisfy the request. In this way only the authentication server would need to know all user passwords. The document servers would only need to know a single secret shared with the authentication server. John Franks john@math.nwu.edu
Received on Wednesday, 10 December 1997 01:42:06 UTC