Re: Authorization vs. Authentication (was Re: Accountability in AC4CSR) from John Panzer on 2008-02-14 (public-appformats@w3.org from February 2008)

From: John Panzer <jpanzer@acm.org>
Date: Thu, 14 Feb 2008 15:11:30 -0800
To: Ian Hickson <ian@hixie.ch>
CC: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <47B4CAA2.2050906@acm.org>

Ian Hickson wrote:
> On Thu, 14 Feb 2008, John Panzer wrote:
>   
>> I'm sorry, I wasn't clear.  By 'delegated server' I meant that there's 
>> no CSR involved at all in this case, but I'm delegating some of the 
>> access rights that I (the user) have to C (in this case, a server).
>>
>> Example:
>> A: Robert Scoble
>> B: Facebook
>> C: Plaxo
>>
>> Scoble (A) tells Facebook (B) it's okay for Plaxo (C) to pull contact 
>> list data.  He then goes to sleep and shuts down his computer.  Plaxo 
>> (C) then contacts Facebook (B) and retrieves the data, acting on behalf 
>> of Scoble (A) but not impersonating him.
>>     
>
> In that scenario, you can use whatever headers you like. Access-Control 
> and XMLHttpRequest have absolutely nothing to do with this.
>   
Right, I said that below.  It's relevant however to the general 
discussion of what header(s) to use for auth[nz]. 
>
>   
>> In these cases, Authorization is authenticating the server (Plaxo) _and_ 
>> authorizing its request based on prior input from the user.  When you 
>> say there's no user/client involved I get confused -- the 'original 
>> server' and 'client' are the same thing in this transaction (Plaxo to 
>> Facebook), unless you're saying that a server can never be an HTTP 
>> client, which confuses me even more.  The user is involved but not in 
>> real time -- indeed, it's key that they be involved since they're the 
>> ones authorizing the transaction.
>>     
>
> The Access-Control spec only applies when there's a Web browser allowing a 
> Web page from one domain to make connections to a Web server from another 
> domain. When there's no Web browser driving the HTTP, there's no need for 
> Access-Control.
>
>   

Right, I'm not talking about Access-Control, I'm talking about general 
HTTP auth[nz].  I don't understand the rationale for AC4CSR's policies 
with regard to the Authorization: header, and the source of my confusion 
seems to be rooted in a difference between my mental model and yours 
that's not specific to CSR.  That's why I'm going down this digressive 
path, because otherwise I think we're just talking past each other.

Received on Thursday, 14 February 2008 23:11:44 UTC