- From: Fisher Mark <FisherM@exch1.indy.tce.com>
- Date: Wed, 28 May 1997 15:39:17 -0500
- To: "'w3c-dist-auth'" <w3c-dist-auth@w3.org>
The big question to me in WebDAV access control is, "What should go over the wire?". I see 3 things that go from the client to server: 1) An HTTP method; 2) Credentials identifying the client; and 3) One (or more) URIs identifying the resource. The server then responds with a status code, along with a Reason-Phrase. Now, credentials can be several things. The simplest non-null case is a single ID. If you are in a relatively high-trust situation (like inside a company Intranet), merely tracking the author by ID may be sufficient. Or, for somewhat greater security, a one-time ID (like a SecurID without the PIN), may be adequate in some cases. UserID/passwords are quite commonly used in multiuser OSes, while X509 certificates and signed PGP messages both have their advocates. What goes over the wire from the client to server, however, are HTTP-method + credentials + URI(s). Since WebDAV is an extension for HTTP, any credential-sending mechanism (authentication method) considered by this group should be via HTTP. This is not to preclude other authentication methods (CORBA, Kerberos, etc.) being used, it is just to say that non-HTTP methods are likely out of this group's scope. This is also not to say that adding authentication mechanisms to HTTP should not be considered, as work done on additional authentication mechanisms would benefit Web users as a whole. To make a long story short (too late! :( ), what WebDAV access control needs to be concerned with are the HTTP authentication methods to support, the HTTP methods needed for WebDAV, and the HTTP status responses. Although there will be clients and servers that use DCE, NTLM/CIFS, etc. for access control, since they are not using HTTP, IMHO we should not be spending our time on this mailing list considering these options. ========================================================== Mark Leighton Fisher Thomson Consumer Electronics fisherm@indy.tce.com Indianapolis, IN "ViaCrypt? Vhy not!"
Received on Wednesday, 28 May 1997 16:41:10 UTC