Re: Recognizing a WebDAV enabled client

We'll be talking about HTTP Authentication issues a lot at the IETF  
meetings next week in Montreal.  Mark Nottingham has scheduled a  
Wednesday Bar BoF on HTTP changes including authentication, and  
there's the "Web Authentication Enhancements" BoF on Friday which has  
combined the topics of cross-site authentication and anti-phishing  
measures.

Other authentication problems people have brought up include Digest's  
issues with offline dictionary attacks, and poor i18n support in  
Basic and Digest.

The idea of clients suggesting what authentication they'd like to use  
doesn't come up often.  Typically servers have security policies  
determined by the level of sensitivity of their content/usage, and  
dictate what authentication and encryption the client needs to use.   
That's why we're increasingly seeing requirements that clients MUST  
support TLS, Digest and Basic -- so that servers have a chance of  
interoperability while also setting minimum security policies.

Lisa


On Jul 3, 2006, at 6:51 AM, Michael Wechner wrote:

>
> Manfred Baedke wrote:
>> Hi Michael,
>>
>>> right, this might makes sense for formats. But I would argue with  
>>> another usecase, namely Custom Authentication
>>> instead of HTTP authentication (BASIC or DIGEST).
>>>
>>> Let's assume a resource is protected and a server would like to  
>>> offer custom authentication, e.g. it would send
>>> a HTML to a regular browser and some WebDAV specific XML to a  
>>> WebDAV enabled client, whereas I haven't digged into
>>> WebDAV far enough how something like this could be handled by the  
>>> WebDAV spec.
>> as Julian pointed out, this form of authentication is not covered  
>> by any specification,
>
> I think that's what confused me resp. I wanted to mix stuff which I  
> have to agree doesn't make sense.
>
>> so there is no reliable way for a generic client to handle it anyway
>
> well, if there would be a standard than I don't think this should  
> be a problem. My suggestion would be that
> the client sends a WWW-Authenticate header of its supported  
> authentication schemes to the server and
> the server then checks if one of the client's suggested  
> authentication schemes is support by the server
> and is able to respond appropriately resp. responding with an  
> exception in the sense, that none of the suggested
> authentication schemes is supported.
>
> It seems to me that "WWW-Authenticate" is similar to "Accept" and  
> that the client should make this suggestion first
> and let the server react to it.
>
> WDYT?
>> (besides the fact that authentication has nothing to do with WebDAV).
>
> agreed.
>
> Thanks for clarifying
>
> Michi
>>
>> Regards,
>> Manfred
>>
>>
>
>
> -- 
> Michael Wechner
> Wyona      -   Open Source Content Management   -    Apache Lenya
> http://www.wyona.com                      http://lenya.apache.org
> michael.wechner@wyona.com                        michi@apache.org
> +41 44 272 91 61
>
>

Received on Thursday, 6 July 2006 00:14:09 UTC