- From: John Panzer <jpanzer@acm.org>
- Date: Wed, 13 Feb 2008 14:05:00 -0800
- To: Ian Hickson <ian@hixie.ch>
- CC: "WAF WG (public)" <public-appformats@w3.org>
- Message-ID: <47B3698C.2010500@acm.org>
Ian Hickson wrote:
> We need a terminology section that defines these terms so we can use them
> in these conversations.
>
> party A: original server
> party B: third-party server, service provider
> party U: user, client, user agent, browser
>
> U visits A, which returns a page that then attempts to communicate with B.
>
>
> On Wed, 13 Feb 2008, John Panzer wrote:
>
>> What mechanism do you propose clients and servers implement use to
>> authenticate users for CSR requests?
>>
>
> HTTP Authentication and/or cookies, like they do now. If the user isn't
> logged in, the third-party server would return an error to the client, and
> the page from the original server would then redirect the user to the
> third-party server (the service provider) to get them to log in.
>
>
>
>> Because servers have to implement _something_. Realistic mechanisms
>> have to be resistant to distributed brute force attacks even without
>> AC4CSR (thank you, Storm Worm). On a side note, I hope that servers
>> opting in to CSR would never consider using username/password auth on
>> each request. Since it is possible to implement username/password auth
>> in ways opaque to browsers ("&u=foo&pass=bar"), perhaps this is worth a
>> note in the security section.
>>
>
> The original server shouldn't ever have access to the _user's_
> credentials, certainly.
>
To try to be more concise:
Cookies can (somewhat) prove "I am user X".
They can't prove "I authorized this request."
I'm concerned about the latter.
Don't know if that helps... :)
Received on Wednesday, 13 February 2008 22:05:11 UTC