- From: Dan Connolly <connolly@w3.org>
- Date: Mon, 22 Jan 2007 08:30:56 -0600
- To: olivier Thereaux <ot@w3.org>
- Cc: QA Dev <public-qa-dev@w3.org>, w3t-sys Team <w3t-sys@w3.org>
On Mon, 2007-01-22 at 13:20 +0900, olivier Thereaux wrote: [...] > Conclusion: bad news, everyone, I think we can't "proxy" digest auth > - unless I'm mistaken, and trust me, I'd love to be wrong here. I concur with the diagnosis; I think you're not wrong. Lots of security mechanisms don't support delegation. (that's why we're doing policy-aware web research. http://www.policyawareweb.org/ ). > I > can't recall who made the first implementation of the auth proxying > for the validator. Gerald? Terje? Would you concur? > > > We then have the choice betweem > > 1) CLIENT <- basic auth -> VALIDATOR <- digest auth -> SERVER > (which, arguably, is wrong wrong wrong yeah. > - we'd be putting the SERVER > at risk without their consent. Plus, I'm not even sure it's entirely > feasible.) > or > 2) "sorry, we can not validator resources protected by digest > authentication. Use the upload feature of the validator, or install a > local instance of the validator in your network, and give access to > your resources to that server". I think I could live with that, but I'm not sure... > Thoughts? Different diagnosis? Is this a showstopper for switching > w3.org servers to digest auth, seeing as it's not only going to break > validation, but all sorts of services too (xslt, etc.)? I wonder if I rely on any of those... perhaps the poor-man's issue tracker... and annospam. -- Dan Connolly, W3C http://www.w3.org/People/Connolly/ gpg D3C2 887B 0F92 6005 C541 0875 0F91 96DE 6E52 C29E office: tel:+1-617-395-0241 mobile: tel:+1-816-616-6576 mobile: mailto:connolly+pager@w3.org
Received on Monday, 22 January 2007 14:31:34 UTC